Re: applying AES-GCM to secure shell: proposed "tweak"

To: der Mouse <mouse%Rodents-Montreal.ORG@localhost>
Subject: Re: applying AES-GCM to secure shell: proposed "tweak"
From: Nicolas Williams <Nicolas.Williams%sun.com@localhost>
Date: Thu, 16 Apr 2009 10:45:50 -0500

On Thu, Apr 16, 2009 at 11:26:18AM -0400, der Mouse wrote:
> >> There are a lot of non-data messages that are full of uint32 fields
> >> that typically have at least 3/4 of their bits zero.  Some even use
> >> a 32-bit field to carry one bit of information.  Compressing these
> >> is valuable from the point of view of providing higher-entropy data
> >> as the cleartext to the encryption algorithm and therefore making it
> >> harder to attack.
> > Uhh, so breaking AES is going to be possible if the content is
> > uncompressed but not if it's compressed? :-)
> 
> Perhaps.  As a cryptographer I'm strictly a dilettante, but even I know
> that the lower the entropy of the plaintext, the easier it is to attack
> an encryption algorithm.  Knowing that most of the bits are zero could
> be the edge that makes the difference between working and failing for
> some attack - especially since you mostly know which ones they are (the
> high-order bits of most uint32s).

Lossless compression does not alter the amount of entropy in a message.
Therefore deterministic use/non-use of compression ought to have no
impact on known-plaintext attacks.

Follow-Ups:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse

References:
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: Peter Gutmann
- Re: applying AES-GCM to secure shell: proposed "tweak"
  - From: der Mouse

Prev by Date: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Date: KEX_OPTION (Re: applying AES-GCM to secure shell: proposed "tweak")
Previous by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Next by Thread: Re: applying AES-GCM to secure shell: proposed "tweak"
Indexes:

Home | Main Index | Thread Index | Old Index