Mok-Kong Shen (mok-kong.shen@stud.uni-muenchen.de)
Fri, 29 Jan 1999 09:50:35 +0100
Jim Gillogly wrote:
> Whether inferring the master key is easy or hard, the point is that
> the security of the system under this assumption (known plaintext)
> is dependent solely on the master key, and there is no more security
> applying it to hashes than applying it to a well-known value such
> as a counter representing the number of the message or a nonce given
> at the beginning of the message itself. Given that the security is
> reduced to that of the master key and cipher, why go to the trouble
> of hashing previous plaintexts? You're trusting the strength of the
> cipher used for master key -> session key conversion anyway, so you
> may as well trust it for the known plaintext case as well, and skip
> the extra computations and complications, which do not buy you any
> extra protection in the known plaintext case.
I'll attempt to answer your question. One thought behind the scheme
is that, if the system as a whole is not broken, then using the
correct key can serve as sort of authentification. I am not sure
I am justified though. Please correct me if I am wrong. An additional
remark is that the hash function can be chosen to offer another
level of security (over than that of the master key).
M. K. Shen
The following archive was created by hippie-mail 7.98617-22 on Sat Apr 10 1999 - 01:18:06