Cryptography Reference
In-Depth Information
random
block
check block
plaintext
I
0
I
1
P
0
P
1
DES
DES
DES
DES
C
0
C
1
C
2
C
3
ciphertext
Figure 5.5:
Fast password check during decryption.
(i.e., from plaintext block
P
0
) onwards. I find the trick to put two identical,
random blocks in front of the plaintext and encrypt the product in CBC mode
even more elegant. However, the statement 'the first two plaintext blocks are
equal' can be similarly valuable for an attacker as the statement 'the first
plaintext block consists of zeros'. This might actually be the reason why the
PGP program discussed in Section 7.1 repeats only 16 bits of the first 64-bit
block.
In my RC5a implementation, I use several input blocks, append a checksum,
and have a block follow that contains only the release number of the algorithm.
The actual plaintext begins only after that block. This arrangement facilitates
a later migration to other algorithms or variants of RC5. More about this issue
in Section 7.6.
When encrypting 'in place', however, such tricks are not easy to implement —
the checksum and the initialization vector have to be accommodated in different
places. Where exactly depends on the application.
5.1.4 Generating Keys
A particularly important aspect in implementing encryption methods is the
careful choice of keys. We've already learned the risks inherent in reduced key
spaces in Sections 3.2 and 3.3. In this section, we will look at another example
and then discuss how such mishaps can be avoided.
The Netscape Story
A downright dramatic example of a reduced key space became public in mid-
1995 when Ian Goldberg and David Wagner, then Berkeley graduate students,
