Browse Prior Art Database

Methods for Thwarting Corrupt Implementation of Data Encryption

IP.com Disclosure Number: IPCOM000116461D
Original Publication Date: 1995-Sep-01
Included in the Prior Art Database: 2005-Mar-30
Document File: 2 page(s) / 118K

Publishing Venue

IBM

Related People

Johnson, DB: AUTHOR [+2]

Abstract

Disclosed are four techniques for ensuring determinism in computer encryption methods such that a user of such methods may verify that the encryption does not contain covert information. The concept of a random number confounder used with message encryption is gaining in popularity. However, a confounder could be used by a corrupt implementation to provide a covert method of leaking arbitrary confidential information. This article considers alternatives to the confounder to address this concern.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 48% of the total text.

Methods for Thwarting Corrupt Implementation of Data Encryption

      Disclosed are four techniques for ensuring determinism in
computer encryption methods such that a user of such methods may
verify that the encryption does not contain covert information.  The
concept of a random number confounder used with message encryption is
gaining in popularity.  However, a confounder could be used by a
corrupt implementation to provide a covert method of leaking
arbitrary confidential information.  This article considers
alternatives to the confounder to address this concern.

      The use of a confounder in data encryption is gaining
popularity as it helps ensure that each encrypted message is
different and helps thwart pattern analysis attacks directed at the
beginning of messages.  A confounder is a secret random number,
typically 64 bits, which is prefixed to a message before the (now
expanded) message is encrypted.  On decryption, the confounder is
intended to be discarded and ignored.  The confounder is not intended
to be used for other purposes, such as message integrity.  Also, the
confounder is similar to but different from an initialization vector,
which is a random 64-bit quantity that is eXclusive-ORed (XOR) with
the first plaintext block of a message.  An encrypted confounder is a
part of the ciphertext, while an initialization vector is not,
although it is logically coupled to the recovery of the ciphertext.

      From the user's point of view, the use of a confounder makes
the message encryption process nondeterministic.  This simply means
that the value of the confounder is not under the control of the user
and furthermore cannot be verified in any way by the user.  In fact,
a corrupt implementation, say a system infected by a virus, could use
a confounder to leak secret information, such as a user's private key
used to generate digital signatures.  This would be bad.
Furthermore, such leakage may not even be detectable by the user.
This would by very bad.  The essential point of each of the four
methods discussed below is the same: to make the encryption method
deterministic from the user's point of view so that the user may
verify that the encryption method does not contain bits that cannot
be accounted for.

      The first method to address this concern is simply to not use a
confounder.  Other methods must then be used to address the concerns
the confounder addresses.  For example, a sequence number could be
included in the message.  This would make each message unique.  To
avoid possible patterns at the beginning of a cipher-block-chained
encrypted message, the message could be encrypted twice using the
output chaining vector of the first encryption as the initialization
vector of the second encryption.

      The decryption method for this technique is a little tricky
and is as follows: First, the system decrypts the (doubly) encrypted
text using the key and an initialization vector of bina...