See Matt Blaze's "Protocol Failure in the Escrowed Encryption Standard", http://www.crypto.com/papers/eesproto.pdf
On Mar 28, 2013, at 10:16 AM, Ethan Heilman <[email protected]> wrote: > Peter, > > Do I understand you correctly. The checksum is calculated using a key or the > checksum algorithm is secret so that they can't generate checksums for new > keys? Are they using a one-way function? Do you have any documentation about > this? > > Thanks, > Ethan > > > On Wed, Mar 27, 2013 at 11:50 PM, Peter Gutmann <[email protected]> > wrote: > Jeffrey Walton <[email protected]> writes: > > >What is the reason for checksumming symmetric keys in ciphers like BATON? > > > >Are symmetric keys distributed with the checksum acting as a authentication > >tag? Are symmetric keys pre-tested for resilience against, for example, > >chosen ciphertext and related key attacks? > > For Type I ciphers the checksumming goes beyond the simple DES-style error > control, it's also to ensure that if someone captures the equipment they can't > load their own, arbitrary keys into it. > > Peter. > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography > > _______________________________________________ > cryptography mailing list > [email protected] > http://lists.randombit.net/mailman/listinfo/cryptography --Steve Bellovin, https://www.cs.columbia.edu/~smb _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
