Cicero (cicero@redneck.efga.org)
24 Dec 1998 04:30:20 -0000
Antonomasia <ant@notatla.demon.co.uk> wrote:
>
>Jim Gillogly <jim@acm.org>
>
>> If you use a good modern cipher for each step of the 30-bit cascade and
>> include no identifying information in each step, there should be no
>> other shortcut. "Good" for this purpose means it produces a distribution
>> of bytes indistinguishable from uniform random to someone who doesn't
>> know the key.
>
>Does this mean that padding the final block is out and ciphertext
>stealing is in ?
Or you can use either CFB or OFB, neither of which has any padding at
the end. OFB needs salt; prepending a random or pseudo-random IV to
the message, and hashing the pass phrase with it will prevent key
repetition. The only requirement on the salt is uniqueness. CFB
requires either unique session keys, or else unique IVs. Failure to
do so will put the initial block (8 bytes) of plaintext at risk. But
unique IVs are not that hard to construct; some encryption utilities
use time(), PGP uses randseed.bin (as it does for the session keys).
Cicero
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:17:38