Cryptography Reference
In-Depth Information
He uses this to compute the following, in this order:
S
i
+
1
=P*
⊕
C'
i
+
1
from the second scheme,
⊕
P
i
+
1
=C
i
+
1
S
i
+
1
from the first scheme,
⊕
S
i
+
2
=P
i
+
1
C'
i
+
2
from the second scheme,
⊕
P
i
+
2
=S
i
+
2
C
i
+
2
from the first scheme
and so on. Since such a stream cipher actually works bitwise, the division in
'blocks' is arbitrary in this context. A block can be one bit long, or 8 or perhaps
31. Moreover, even changes to
P
j
for
j
i
play only a secondary role; the
only important thing is that bits are introduced deliberately.
≤
This opens up ways for the following practicable approach: the attacker — let's
call him Bond — had himself hired by a suspect company, knowing that an
encrypted message he'd previously intercepted placed an order for hot goods
with Gun Services & Partner. That company's contact, Muller, has been under
surveillance by the secret service for quite some time. During a date with his
company's attractive secretary, Bond mentions incidentally that he had recently
put his foot right in it with him, because he had spelled Muller's name wrongly:
it should actually read 'Mueller', and the man was known to be finicky about
correct orthography. The following day, Bond promptly intercepts an encrypted
message to Gun Services & Partner that coincides with the previous message,
except in a certain place. He correctly assumes that the first differing byte
came into being as the 'u' was changed into 'u', and an 'e' was inserted after
it. Since the name 'Muller' occurs only once in the plaintext — at the beginning
of all places, Bond can decipher almost the entire order for an illegal weapons
shipment, except for an addition in the second message, which was probably
an apology for the wrong spelling.
The best methods are worth nothing to people who handle cryptology so laxly.
They should also take more interest in whom their attractive secretaries date.
This attack was only possible because the same key sequence (
S
n
) was used in
both bases. This shows how important it is to choose a different initialization
vector for every message.
Other Problems
So much for active attacks. Another aspect is the potential
error propagation
.
All modes discussed here are designed such that a transmission error (gar-
bled blocks) can turn no more than two plaintext blocks into gibberish when
