On May 11, 2009, at 7:08 PM, Matt Ball wrote:
Practically, to make this work, you'd want to look at the solutions
that support 'data deduplication' (see
http://en.wikipedia.org/wiki/Data_deduplication). These techniques
typically break the data into variable length 'chunks', and
de-duplicate by computing the hash of these chunks and comparing to
the hashes of chunks already stored in the system. These chunks
provide a useful encryption unit, but they're still somewhat
susceptible to traffic analysis. The communication should
additionally be protected by SSH, TLS, or IPsec to reduce the exposure
to traffic analysis.
It's interesting that data-dedup-friendly modes inherently allow an
attacker to recognize duplicated plaintext based only on the
ciphertext. That's their whole point. But this is exactly the
primary weakness of ECB mode. It's actually a bit funny: ECB mode
lets you recognize repetitions of what are commonly small, probably
semantically meaningless, pieces of plaintext. Data-dedup-friendly
modes let you recognize repetitions of what are commonly large chunks
of semantically meaningful plaintext. Yet we reject ECB as insecure
but accept the insecurity of data-dedup-friendly modes because they
are so useful!
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com