RE: Fwd: [DES-ANNOUNCE] New clients and 'spamming'

Justin Dolske (dolske@cis.ohio-state.edu)
Mon, 5 May 1997 16:01:36 -0400 (EDT)


On Mon, 5 May 1997, James Johnson wrote:

> We could use a key based encryption (kind of ironic). The server could have
> one key, and each machine randomly pick a key for that block. So upon a
> block request the host would send it's 'public' key along with the request,
> the sever would encode the reply, and tack its public 'key' to the end of
> the message. Once the host recieved that information the it could decode
> the message, crunch the DES block, and encode the reply with the sever's
> public key.

All this does is make sure that a client actually requested a keyblock
before it returned the result. A trivial way to bypass this is:

while(1) {
RequestBlock();
/* NOP */
ReplyNotFound();
}

The suggested protocol is also vulnerable to replay attacks. :-)

Justin Dolske <URL:http://www.cis.ohio-state.edu/~dolske/>
(dolske@cis.ohio-state.edu)
Graduate Fellow / Research Associate at The Ohio State University, CIS Dept.
-=-=-=-=-=-=-=-=-=-=-=-=-=- Random Sig-o-Matic (tm) -=-=-=-=-=-=-=-=-=-=-=-=-
Let me be by myself in the evening breeze, / Listen to the murmur of the
cottonwood trees, / Send me off forever, but I ask you, please, / Don't
fence me in. -- Cole Porter's "Don't Fence Me In"