Chaffing and Winnowing
Anonymous Sender
nobody at privacy.nb.ca
Tue Mar 24 14:00:17 PST 1998
Aside from the considerable overhead created by C/W,
I observe a possible pitfall. suppose I start every
new message at ID# 0. The first time I C/W a message
everything works fine. The next time I C/W a message
with the same MAC, I give some very juciy clues to
what both messages were. This is because the item that
the MAC applied to was an ID number and a bit. well, that
bit is either zero or one... so any bit that corresponds
between my first and second message will yield an identicle
MAC, thus making it easy for anybody to seperate some of
the wheat from the chaff, merely by simple observation.
though in a real implementation, I probably wouldn't be so
niave as to start every new message with the same packet
ID, I point out that there's an upper limit on the amount of
data that should be transmitted before a new
authentication key should be arranged... that is assuming that
the ID field was of finite size. Rivest mentioned in passing
using a 32 bit ID. That's an impressive number of bits to
C/W, but certainly not unattainable.
-SM2k
More information about the cypherpunks-legacy
mailing list