ASK ToolKit Clarifications

Bill Stewart stewarts at ix.netcom.com
Sat Aug 30 15:09:58 PDT 1997 


At 09:27 AM 8/29/97 -0400, Myron Lewis wrote:
>I know that the claims we make for the ASK ToolKit(TM) sound 
>a little too good to be true. 
...
>The ASK ToolKit does not do encryption.
>It only provides keys on demand for encryption. 

And his web page says
> you will be able to offer your customers the most secure applications
available.
>And they won't have to endure the pain of dealing with, 
>or spending the money for, key management systems.

The toolkit is fairly straightforward, if the descriptions are accurate.
Alice exchanges a secret with Bob somehow, and keeps track of 
which secret goes with which recipient, i.e. does the key management - 
either inside the toolkit, making the toolkit somewhat useful, 
or outside the toolkit, making the toolkit annoying to use.

At that point, Alice and Bob both have Secret(Alice,Bob),
and a counter N of the number of session keys they've generated.
When Alice wants to send Message to Bob, she uses the toolkit to calculate
	(SessionKey(N), Stuff2) = f(N, Secret(Alice,Bob),Alice,Bob,Stuff1)
and sends Bob (N,Stuff1,Stuff2,Alice,Bob) and E(Message,SessionKey(N)).

Having not licensed a copy of the toolkit, I don't know whether
Stuff1 and Stuff2 are transmitted, non-transmitted, or empty sets,
or whether the function f  maintains state other than N (if it does,
then Stuff1 and Stuff2 are the state variables, with Stuff1(N+1)==Stuff2(N).)

Some popular variants on this are
	f() = Hash(Secret,N)	
		(tends to leak)
	f() = Hash(N,Secret,N) or Hash(N,Hash(Secret,N)) or Hash(Secret,N,Secret)
	f() = Hash(SessionKey(N-1)) == Hash**N(Secret)	     
		(terrible - leaks badly.)
	f() = (Hash2(salt,Hash**N(Secret)), salt)    
		(much stronger if Hash2 is good.)

Then there's S/Key: f() = Hash**(M-N)(Secret) where M is a big number,
typically 100.
This works well for passwords, since you can easily verify that
Hash**N(f()) = Secret,
though it's dangerous for encryption passwords, since cracking one message
key cracks
all the previous messages. 

#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts at ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#   (If this is a mailing list or news, please Cc: me on replies.  Thanks.)

More information about the cypherpunks-legacy mailing list