IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: applying AES-GCM to secure shell: proposed "tweak"



On Thu, Apr 16, 2009 at 11:26:18AM -0400, der Mouse wrote:
> >> There are a lot of non-data messages that are full of uint32 fields
> >> that typically have at least 3/4 of their bits zero.  Some even use
> >> a 32-bit field to carry one bit of information.  Compressing these
> >> is valuable from the point of view of providing higher-entropy data
> >> as the cleartext to the encryption algorithm and therefore making it
> >> harder to attack.
> > Uhh, so breaking AES is going to be possible if the content is
> > uncompressed but not if it's compressed? :-)
> 
> Perhaps.  As a cryptographer I'm strictly a dilettante, but even I know
> that the lower the entropy of the plaintext, the easier it is to attack
> an encryption algorithm.  Knowing that most of the bits are zero could
> be the edge that makes the difference between working and failing for
> some attack - especially since you mostly know which ones they are (the
> high-order bits of most uint32s).

Lossless compression does not alter the amount of entropy in a message.
Therefore deterministic use/non-use of compression ought to have no
impact on known-plaintext attacks.



Home | Main Index | Thread Index | Old Index