[cryptography] Key Checksums (BATON, et al)

Steven Bellovin smb at cs.columbia.edu
Wed Mar 27 16:39:46 EDT 2013

On Mar 27, 2013, at 3:13 PM, Ben Laurie <ben at links.org> wrote:

> On 27 March 2013 17:20, Steven Bellovin <smb at cs.columbia.edu> wrote:
>> On Mar 27, 2013, at 3:50 AM, Jeffrey Walton <noloader at gmail.com> wrote:
>>> What is the reason for checksumming symmetric keys in ciphers like BATON?
>>> Are symmetric keys distributed with the checksum acting as a
>>> authentication tag? Are symmetric keys pre-tested for resilience
>>> against, for example, chosen ciphertext and related key attacks?
>> The parity bits in DES were explicitly intended to guard against
>> ordinary transmission and memory errors.  Note, though, that this
>> was in 1976, when such precautions were common.  DES was intended
>> to be implemented in dedicated hardware, so a communications path
>> was needed, and hence error-checking was a really good idea.
> And in those days they hadn't quite wrapped their heads around the
> concept of layering?

That's partly though not completely true.
> That said, I used to work for a guy with a long history in comms. His
> take was that the designers of each layer didn't trust the designers
> of the layer below, so they added in their own error correction.
It's more that errors can occur at any layer -- even today, we have
link layer checksums, TCP checksums, and sometimes more.  This is the 
e2e error check, shortly before Saltzer and Clark wrote their paper...
And yes, hardware was a *lot* less reliable then.

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list