[Cryptography] Non-Authenticated Key Agreement
Natanael
natanael.l at gmail.com
Wed Sep 23 07:19:49 EDT 2015
On Wed, Sep 23, 2015 at 7:11 AM, Davy Durham <ddurham at davyandbeth.com>
wrote:
>
> Given an encrypt (and decrypt, for that matter) function based the
> one-time pad idea:
> E(d, k) = d xor k
>
> Alice wishes to send Bob a piece of information d. Alice and Bob have not
> exchanged any information previously.
> Alice makes up a random key, ka, and Bob makes up a random key, kb.
> The following sequence diagram allows Alice to send d to Bob while the d
> remains protected from eavesdropping in between.
>
> Alice Bob
> d = data
> ka = random bits
> d' = E(d, ka)
> d'
> ---------------------------------------->
> kb = random bits
> d'' = E(d', kb)
> d''
> <----------------------------------------
> d''' = E(d'', ka)
> d'''
> ---------------------------------------->
> d = E(d''', kb)
>
> d' = d XOR ka
d'' = d XOR ka XOR kb
d''' = d XOR ka XOR kb XOR ka = d XOR kb
All off these are public. See the problem yet? Hint: Key reuse.
kb = d' XOR d''
d = d''' XOR kb
Or in other words, d' XOR d'' XOR d''' = d. This is because each XOR key is
repeated in even numbers, where each version have exactly one difference in
which ones are applied. A XOR B XOR B = A.
XOR encryption is only considered secure if the same unpredictable key
material NEVER is used for more than exactly one plaintext
Even if you managed to make it work with uneven numbers of applications,
the reuse still reveals statistics about the plaintext.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150923/274e83a8/attachment.html>
More information about the cryptography
mailing list