Cryptography Reference
In-Depth Information
Listing 8-34:
Example export-grade initialization vector calculation
unsigned char *iv_block = ( unsigned char * )
malloc( suites[ parameters->pending_send_parameters.suite ].IV_size * 2
);
PRF( “”, 0, // empty secret, anybody can compute
“IV block”, strlen( “IV block” ),
parameters->client_random, RANDOM_LENGTH * 2,
iv_block,
suites[ parameters->pending_send_parameters.suite ].IV_size * 2 );
memcpy( parameters->pending_send_parameters.IV, iv_block, 8 );
memcpy( parameters->pending_recv_parameters.IV, iv_block + 8, 8 );
This means that any eavesdropper can compute the initialization vectors
from the client and server random values. Why the U.S. government insisted on
this concession is a bit of a mystery; recall from Chapter 6 that TLS 1.1 actually
puts the initialization vector for each individual TLS packet in plaintext with
no appreciable loss of security. Perhaps the NSA is aware of an attack on block
ciphers in CBC mode that requires nothing other than knowledge of the IV to
mount — if so, TLS 1.1 and TLS 1.2 are completely vulnerable to this attack. If
such an attack exists, it hasn't been made public. Of course, if there were such
an attack, stream ciphers such as RC4 would have an edge because they don't
make use of initialization vectors or CBC.
Now, there's not much you can do with a fi ve-byte key. This is actually enough
for RC4, but it's not suffi cient for any of the other ciphers that have been exam-
ined in this topic. Remember that DES, for example, needs exactly eight bytes.
Therefore, there's a second key expansion step to turn the temporary fi ve-byte
keys that came from the master secret into the fi nal actual keys. The key block
material is computed just as in a non-export cipher, but the fi nal keys are run
through the PRF a second time as shown in Listing 8-35:
Listing 8-35:
Example of export-grade key generation
PRF( write_key, 5,
“client write key”, strlen( “client write key” ),
parameters->client_random, RANDOM_LENGTH * 2,
parameters->pending_send_parameters.key,
suites[ parameters->pending_send_parameters.suite ].key_size );
PRF( read_key, 5,
“server write key”, strlen( “server write key” ),
parameters->client_random, RANDOM_LENGTH * 2,
parameters->pending_recv_parameters.key,
suites[ parameters->pending_recv_parameters.suite ].key_size );
Notice that the secret here is the weak fi ve-byte key that was computed by
the master secret expansion. An attacker would only need to run the PRF on all
2
40
possible input values to brute-force the key. In 1999, this would have taken
a few days. On modern hardware, it can be done in minutes.
Search WWH ::
Custom Search