Warning! New cryptographic modes!
Jerry Leichter
leichter at lrw.com
Mon May 11 20:29:06 EDT 2009
On May 11, 2009, at 7:08 PM, Matt Ball wrote:
> Practically, to make this work, you'd want to look at the solutions
> that support 'data deduplication' (see
> http://en.wikipedia.org/wiki/Data_deduplication). These techniques
> typically break the data into variable length 'chunks', and
> de-duplicate by computing the hash of these chunks and comparing to
> the hashes of chunks already stored in the system. These chunks
> provide a useful encryption unit, but they're still somewhat
> susceptible to traffic analysis. The communication should
> additionally be protected by SSH, TLS, or IPsec to reduce the exposure
> to traffic analysis.
It's interesting that data-dedup-friendly modes inherently allow an
attacker to recognize duplicated plaintext based only on the
ciphertext. That's their whole point. But this is exactly the
primary weakness of ECB mode. It's actually a bit funny: ECB mode
lets you recognize repetitions of what are commonly small, probably
semantically meaningless, pieces of plaintext. Data-dedup-friendly
modes let you recognize repetitions of what are commonly large chunks
of semantically meaningful plaintext. Yet we reject ECB as insecure
but accept the insecurity of data-dedup-friendly modes because they
are so useful!
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list