At 12:02 PM 2/21/03 -0800, Zully Ramzan wrote: ...
I believe we've also seen this type of paradigm in many cryptanalytic instances wherein a guess for just a portion of a secret key can be verified, thereby reducing the time for a brute-force search since one first guesses this portion, and gets it right, before trying to guess the remainder of the key material.
Yep. The thing that I found fun about this attack was that it so completely sidesteps the protections of the crypto. If you think about it, the whole concept of the attack is to force the recipient's execution path to react without the benefit of a cryptographic check on its actions.
This attack made me think of the attack on SSH-encrypted passwords using timing / keystroke analysis. Again, a clever way to do an end-run around the crypto.
If you think about compression before encryption in this context, you could imagine someone actually causing a software crash (or even a buffer overrun, though not one they could control very well) by altering the ciphertext, and thus giving the decompressor routines a bunch of random bits to deal with. (I mentioned the possibility of using this sort of thing in an attack in my compression side channel paper at FSE last year, but I certainly didn't have this kind of clever attack in mind!)
Regards, Zully
--John Kelsey, [EMAIL PROTECTED]
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
