[cryptography] Key Checksums (BATON, et al)

Steven Bellovin smb at cs.columbia.edu
Thu Mar 28 11:26:26 EDT 2013


See Matt Blaze's "Protocol Failure in the Escrowed Encryption Standard", http://www.crypto.com/papers/eesproto.pdf

On Mar 28, 2013, at 10:16 AM, Ethan Heilman <eth3rs at gmail.com> wrote:

> Peter,
> 
> Do I understand you correctly. The checksum is calculated using a key or the checksum algorithm is secret so that they can't generate checksums for new keys?  Are they using a one-way function? Do you have any documentation about this?
> 
> Thanks,
> Ethan
> 
> 
> On Wed, Mar 27, 2013 at 11:50 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> Jeffrey Walton <noloader at gmail.com> writes:
> 
> >What is the reason for checksumming symmetric keys in ciphers like BATON?
> >
> >Are symmetric keys distributed with the checksum acting as a authentication
> >tag? Are symmetric keys pre-tested for resilience against, for example,
> >chosen ciphertext and related key attacks?
> 
> For Type I ciphers the checksumming goes beyond the simple DES-style error
> control, it's also to ensure that if someone captures the equipment they can't
> load their own, arbitrary keys into it.
> 
> Peter.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
> 
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography


		--Steve Bellovin, https://www.cs.columbia.edu/~smb







More information about the cryptography mailing list