Re: Fwd: [DES-ANNOUNCE] New clients and 'spamming'

Justin Dolske (dolske@cis.ohio-state.edu)
Mon, 5 May 1997 20:12:10 -0400 (EDT)


On Mon, 5 May 1997, Dan Oetting wrote:

> The damage done by malicious clients is ZERO until the search reaches 100%.
> Except for a small load on the server the only effect is to inflate the
> statistics. If the search does reach 100% coverage there will be a small
> loss while the logs are spot checked to uncover the perpetrators.

That's true, assuming you have a way to detect malicious clients. I
believe that's what we were discussing. :-) If you don't have a way to
detect malicious clients, you must completely start over when 100% is
reached. I'd call that damage.

> Every new host should be checked once to be sure it is not inadvertantly
> running a bad client.

That's farily obvious. So what if I run my clients "nicely" for a couple
weeks, and then start doing bogus searches? That's the first thing I would
do if I was going to hack one of the contests.

> If you require the client to find all matches to a pattern that has at
> least a probability of multiple occurences within the range you will force
> a 100% search if the client doesn't want to get caught cheating.

But you're requiring as much work to double check the result as a
checksum! The point of the single message is that a server can pick *1*
key from the 2^29 block of keys, and find it's result. The client then has
to decode, on average, 2^28 keys to find it. This is about most secure
method I know of to ensure that the client is, at the minimum, testing
keys. If nothing else, it slows an attacker down.

> You will detect it when somone else clames the prize. It will be too late
> for spot checking.

Not a concern, until a large portion of the keyspace has been searched.
We've searched only a tiny amount of the keyspace, so right now a DESCHALL
client and an independant client have about the same odds of finding the
key.

But, as I said, there's not much you can do to guard against a client that
does nothing malicious except not reporting when the key is found. If you
could, we wouldn't need to brute force DES! :-)

Justin Dolske <URL:http://www.cis.ohio-state.edu/~dolske/>
(dolske@cis.ohio-state.edu)
Graduate Fellow / Research Associate at The Ohio State University, CIS Dept.
-=-=-=-=-=-=-=-=-=-=-=-=-=- Random Sig-o-Matic (tm) -=-=-=-=-=-=-=-=-=-=-=-=-
Did you hear about the new corduroy pillow?
...It's making headlines all over town.