On the IV of CBC mode

From: Clemens Fruhwirth (clemens-dated-1091356155.f3c4_at_endorphin.org)
Date: 07/11/04

• Next message: Henrick Hellström: "Re: On the IV of CBC mode"
• Previous message: Mok-Kong Shen: "Re: Call for stego ideas"
• Next in thread: Henrick Hellström: "Re: On the IV of CBC mode"
• Reply: Henrick Hellström: "Re: On the IV of CBC mode"
• Reply: Gregory G Rose: "Re: On the IV of CBC mode"
• Reply: Jean-Luc Cooke: "Re: On the IV of CBC mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 11 Jul 2004 10:50:45 GMT

Hi,

I have lately received critiques for implementing an encryption system
using CBC mode and a well known IV for well known plain text. (The IV is
derived from the sector number of a raw block device, and usually you have
a superblock at sector 0, therefor one knows the approximate plain text
and the IV).

The critique is in fact, that I don't make the IV depend on the key like
IV=SHA1(key). It is argued that one can precompute a dictionary for this
setup by computing the result for all K with the known IV. But my counter
argument is, that making the first encryption step of a CBC mode setup:
E(K,P XOR SHA1(K)) instead of E(K,P XOR known-IV) does not defeat the
problem of precomputation, since computing E(K,P XOR SHA1(K)) for all K
has the same complexity as the original form. Making the IV depend on the
key is equal to doing the first encryption step with a different cipher
which takes no IV at all (since it's computed internal with IV=SHA1(K)).
So from the security point of view there is no gain.

In my opinion this problem can only be defeated with a true
random IV and further (because it's not that easy ATM to achieve that) the
security properties of the cipher should be sufficient against attacking
well-known plain text. Can this reasoning be followed by the group?

Best Regards, Clemens

---

• Next message: Henrick Hellström: "Re: On the IV of CBC mode"
• Previous message: Mok-Kong Shen: "Re: Call for stego ideas"
• Next in thread: Henrick Hellström: "Re: On the IV of CBC mode"
• Reply: Henrick Hellström: "Re: On the IV of CBC mode"
• Reply: Gregory G Rose: "Re: On the IV of CBC mode"
• Reply: Jean-Luc Cooke: "Re: On the IV of CBC mode"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: On the IV of CBC mode ... >using CBC mode and a well known IV for well known plain text. ... to a hypothetical attacker, and might be related ... that making the first encryption step of a CBC mode setup: ... (sci.crypt) Re: Alice Encrypts - Adacrypt ... plane by the fixed reference frame defined by the X, Y, Z, axes. ... seeding pairs comes next and developing these lines recursively to ... from v determines the plain normal to v and containing the origin. ... as her encryption transformation line for the current plaintext of her ... (sci.crypt) RE: [inbox] [Full-Disclosure] stenagrophy software recommendations ... there is an excellent book out by Dave Cole called "Hiding in Plain ... Steganography and the Art of Covert Communication" which quickly lays ... time of writing, current research so there is some foundation should anyone ... >crypto hides data behind encryption, stego hides it in plain site. ... (Full-Disclosure) Re: "ZIP Attacks with Reduced Known-Plaintext" ... zip files with probably 50 or more known plain text bytes that are ... It appear to be a two's complement shifted ... two's complement  number encryption. ... I will try to see what happens with an old test program I have. ... (sci.crypt) Re: [Full-disclosure] Introducing TGP... ... there are cipher modes ... available (namely, 'authenc' modes) which add authenticity assurances, ... The residue of CBC mode encryption, acts a a PRF just as ... (Full-Disclosure)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > sci.crypt  > 2004-07