-----BEGIN PGP SIGNED MESSAGE----- Me:
Using a random IV also limits the effectiveness of using known headers for "known plaintext" attacks. Also note that a good block cipher isn't that vulnerable even to "known plaintext" attacks.
Bill Frantz:
I don't think this is true given a brute force attack. Let me assume DES-CBC as a specific system. Let us assume that the plaintext is:
<snip>
The brute force system decrypts the first, and second blocks (8 bytes each) of the cyphertext, XORs them, and compares the result with "PKZIP2.1". If the comparison is equal it has the key.
If we eliminated the header and just started with the compressed data, then the brute force system would have to decrypt and decompress enough of the data to run statistical tests. The cost of the additional decryptions, decompression, and statistical tests substantially raise the cost of the brute force attack.
I will concede that having a known header, such as a PKZIP header, does weaken a crypto to certain degree, but I still believe that it is not a significant problem. Here's why: 1. If the best attack against the crypto system is to brute force attack (having to decrypt two blocks per key) I don't consider that a weakness. Assuming you are using IDEA or another 128 bit key algorithm and if everyone in the world owned two computers, each powerful enough to make a million attacks a second, and they all decided to cooperate in cracking your key it would still take (on average) until the next ice age to complete this attack. Admittedly DES wouldn't hold up nearly as well, but if you are using straight DES you have bigger concerns than the occaisional known plaintext attack. 2. Known plaintext is something that you have to assume that your enemy has at least occaisional access to. Lots of messages have known beginnings and endings. Sure it would be nice to reduce the amount of known plaintext, but I think there are much more significant concerns. 3. The disadvantages of not having the headers. The headers are there for a reason: to communicate that the following file is in a specific format. Without the headers, you have to use another secure channel to communicate what file type is being transmitted. Again, I concede that a crypto system would be more secure if no known plaintext was ever transmitted, such as compressed file headers. But this minor loss of security is nearly inescapable and also relatively insignificant. David F. Ogren ogren@concentric.net PGP Key ID: 0xC626E311 PGP Key Fingerprint: 24 23 CD 15 BF 8D D1 DE 81 71 84 C8 2C E0 4B 01 (public key available via server or by sending a message to ogren@concentric.net with a subject of GETPGPKEY) -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMa/qu/BB6nnGJuMRAQH8MAP/epcVGiS+9U1aWs1diuiVsMSjellYRjNm p9huFrzT9eaBrfVz0MI2yhZ8IWNctDWznQdmtcmdRKoFm5Knfu+vIyKH6oILplyB dgfPsSh3R/pJKXs2hD4q8PgE+laaTyFZyW1MqPbAjlKUS/T1w9bhL3lQnsrKZPf+ Qyxa19Vlya0= =sHIE -----END PGP SIGNATURE-----