[cryptography] Key Checksums (BATON, et al)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Mar 30 11:57:46 EDT 2013

Ethan Heilman <eth3rs at gmail.com> writes:

>Do I understand you correctly. The checksum is calculated using a key or the
>checksum algorithm is secret so that they can't generate checksums for new
>keys?  Are they using a one-way function? Do you have any documentation about

Like the algorithms themselves, the details would be classified.  The only
case where we know anything is for Clipper, but we have no idea whether it's
done similarly for other devices.  Given the LEAF-based design, which wouldn't
be needed for normal military/goverment use, it seems unlikely.

(If you needed to do something like this isn't not too hard to figure out how
to do it, just MAC the key in some way and if the MAC check fails, truncate it
to (say) 16 bits so the unauthorised user thinks they're encrypting data but
you can recover the plaintext without too much effort).


More information about the cryptography mailing list