Re: PGP/MIME vs. S/MIME vs. MOSS

[Robert Moskowitz <rgm3@xxxxxxxxxxxx>]

At 03:28 PM 5/30/96 +1000, David Chia wrote:
>
>That was the problem in general of encrypting text with fixed tag using
>stream ciphers (xor'ed byte by byte) like RC4. It was reported by
>Stevenson that the 'earlier' pwl file was named with the username and
>the file content also started with the username (in capitals). The file was
>encrypted with 32 bit RC4 key and the same pseudo random stream was
>reused. It was cracked on a single workstation in less than 1 second.
>It is believed that the file format and encryption has been changed.
>RC4 when properly used is quite secure.

ERGO care must be taken, and peer review by crypto experts is a requirement.

>Incidentally for the MD5 algorithm, it was discovered and reported
>this month by Dobbertin (who earlier discovered the weakness in MD4)
>that under some special conditions a different plaintext that hashed
>to the same digest could be determined. The author concluded that this
>might be reason enough to substitute MD5 with SHA-1 in future applications.
>The computation took 10 hours on a single Pentium PC.
>(Ref: http://www.cs.ucsd.edu/users/bsy/dobbertin.ps).

But the keyed HMAC authentication method that will soon be used for IPSP has
been determined to be immune to these attacks.  Whether MD5 or SHA-1.

>This just demonstrates the need to allow for multiple algorithms in the
>standard.

It demonstrates listing to real crypto experts from different crypto disablines.

Back at the Dallas IETF (Dec '95), Steve Bellovin announced the attack on
public key crypto.  A real neat use of timing that was known, but not
accounted for by real-time public key systems.  Even the Terisa chip was a
victim of this attack.

Ted T'so of MIT commented that here was someone smarter than the group that
Steve reported to.  I replied, "No, just a different view on the problem.
No smarter than the rest of you."

Robert Moskowitz
Chrysler Corporation
(810) 758-8212