Re: Knowledge of Initialization vectors
From: Scott Fluhrer (sfluhrer_at_ix.netcom.com)
Date: 04/29/03
- Next message: Mok-Kong Shen: "Re: Cohen's paper on byte order"
- Previous message: Ken Very Big Liar: "SHA-512 and 128-bit integers"
- In reply to: Mok-Kong Shen: "Re: Knowledge of Initialization vectors"
- Next in thread: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Reply: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 29 Apr 2003 07:16:06 -0700
"Mok-Kong Shen" <mok-kong.shen@t-online.de> wrote in message
news:3EAE546A.6E0D4699@t-online.de...
>
>
> Terry Ritter wrote:
> >
> > Benjamin Goldberg <goldbb2@earthlink.net> wrote:
>
> > > The initialization vector can be safely provided with the ciphertext;
> > > generally, their only requirement is that you never use a particular
IV
> > > with more than one message.
> >
> > There is a potential problem with the first block of CBC. See:
> >
> > http://www.ciphersbyritter.com/GLOSSARY.HTM#CipherBlockChaining
>
> This implies that one should preferably the IV sent
> encrypted. Is that right? Thanks.
Actually, the problem that Terry mentions is one way in which CBC is
malleable -- that is, an attacker can modify the ciphertext to produce
predictable or semipredictable changes in the plaintext. Since it is not
the only one, blocking this attack while allowing similar attacks may not
make sense. The real solution is to use some integrity check, such as a
MAC.
-- poncho
- Next message: Mok-Kong Shen: "Re: Cohen's paper on byte order"
- Previous message: Ken Very Big Liar: "SHA-512 and 128-bit integers"
- In reply to: Mok-Kong Shen: "Re: Knowledge of Initialization vectors"
- Next in thread: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Reply: Terry Ritter: "Re: Knowledge of Initialization vectors"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
