On May 11, 2009, at 7:08 PM, Matt Ball wrote:
Practically, to make this work, you'd want to look at the solutions
that support 'data deduplication' (see
http://en.wikipedia.org/wiki/Data_deduplication).  These techniques
typically break the data into variable length 'chunks', and
de-duplicate by computing the hash of these chunks and comparing to
the hashes of chunks already stored in the system.  These chunks
provide a useful encryption unit, but they're still somewhat
susceptible to traffic analysis.  The communication should
additionally be protected by SSH, TLS, or IPsec to reduce the exposure
to traffic analysis.
It's interesting that data-dedup-friendly modes inherently allow an attacker to recognize duplicated plaintext based only on the ciphertext. That's their whole point. But this is exactly the primary weakness of ECB mode. It's actually a bit funny: ECB mode lets you recognize repetitions of what are commonly small, probably semantically meaningless, pieces of plaintext. Data-dedup-friendly modes let you recognize repetitions of what are commonly large chunks of semantically meaningful plaintext. Yet we reject ECB as insecure but accept the insecurity of data-dedup-friendly modes because they are so useful!
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to