[cryptography] Key Checksums (BATON, et al)
smb at cs.columbia.edu
Wed Mar 27 16:39:46 EDT 2013
On Mar 27, 2013, at 3:13 PM, Ben Laurie <ben at links.org> wrote:
> On 27 March 2013 17:20, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> On Mar 27, 2013, at 3:50 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> What is the reason for checksumming symmetric keys in ciphers like BATON?
>>> Are symmetric keys distributed with the checksum acting as a
>>> authentication tag? Are symmetric keys pre-tested for resilience
>>> against, for example, chosen ciphertext and related key attacks?
>> The parity bits in DES were explicitly intended to guard against
>> ordinary transmission and memory errors. Note, though, that this
>> was in 1976, when such precautions were common. DES was intended
>> to be implemented in dedicated hardware, so a communications path
>> was needed, and hence error-checking was a really good idea.
> And in those days they hadn't quite wrapped their heads around the
> concept of layering?
That's partly though not completely true.
> That said, I used to work for a guy with a long history in comms. His
> take was that the designers of each layer didn't trust the designers
> of the layer below, so they added in their own error correction.
It's more that errors can occur at any layer -- even today, we have
link layer checksums, TCP checksums, and sometimes more. This is the
e2e error check, shortly before Saltzer and Clark wrote their paper...
And yes, hardware was a *lot* less reliable then.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography