Warning! New cryptographic modes!

Mon May 11 20:29:06 EDT 2009

On May 11, 2009, at 7:08 PM, Matt Ball wrote:
> Practically, to make this work, you'd want to look at the solutions
> that support 'data deduplication' (see
> http://en.wikipedia.org/wiki/Data_deduplication).  These techniques
> typically break the data into variable length 'chunks', and
> de-duplicate by computing the hash of these chunks and comparing to
> the hashes of chunks already stored in the system.  These chunks
> provide a useful encryption unit, but they're still somewhat
> susceptible to traffic analysis.  The communication should
> additionally be protected by SSH, TLS, or IPsec to reduce the exposure
> to traffic analysis.
It's interesting that data-dedup-friendly modes inherently allow an  
attacker to recognize duplicated plaintext based only on the  
ciphertext.  That's their whole point.  But this is exactly the  
primary weakness of ECB mode.  It's actually a bit funny:  ECB mode  
lets you recognize repetitions of what are commonly small, probably  
semantically meaningless, pieces of plaintext.  Data-dedup-friendly  
modes let you recognize repetitions of what are commonly large chunks  
of semantically meaningful plaintext.  Yet we reject ECB as insecure  
but accept the insecurity of data-dedup-friendly modes because they  
are so useful!
                                                         -- Jerry


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com