[Interest] Interest Digest, Vol 97, Issue 4

Thiago Macieira thiago.macieira at intel.com
Sun Oct 6 19:10:19 CEST 2019

On Saturday, 5 October 2019 14:38:17 PDT Roland Hughes wrote:
> With a fingerprint database you need ONE magic packet. For JSON, that is
> any packet in the stream because you are looking for
> " : "
> ":"
> " :"
> ": "
> as an encrypted fingerprint with many instances in the packet. If the
> encryption algorithm used consistently encrypts the same character
> string the exact same way within a packet a human just glancing at the
> sniff could see the repetition

You do realise that's not how modern encryption works, right? You do realise 
that SSL/TLS rekeys periodically to avoid even a compromised key from going 
further? That's what the "data limit for all ciphersuits" means: rekey after a 

You're apparently willfully ignoring the fact that the same cleartext will not 
result in the same ciphertext when repeated in the transmission, even between 
two rekey events.

> For xml you just need to find
> <?xml version=
> or the first 8 bytes of it (for the 64-bit block ciphers) and you are
> golden.

Which is why we don't use 64-bit block ciphers anymore. We are using 128- and 
256-bit AES, which works very differently. You can't compute a fingerprint 
database for those. And even if you could, you d still have birthday attacks: 
two keys could result in the same ciphertext for the same input, but not for 
the next input. 

And don't forget the Initialisation Vector. Even if you could compute the 
fingerprint database, you still need to multiply it by 2^128 to account for 
all possible IVs.

Thiago Macieira - thiago.macieira (AT) intel.com
  Software Architect - Intel System Software Products

More information about the Interest mailing list