Re: security risk of IV in plaintext CBC mode
- From: "Matthew Fanto" <mfanto@xxxxxxxxx>
- Date: 12 Feb 2007 11:55:49 -0800
On Feb 12, 2:14 pm, rossum <rossu...@xxxxxxxxxxxx> wrote:
If an attacker can change the IV in transit then she can affect the
decryption of the first cyphertext block. How important is an
uncorrupted decryption of the first block of plaintext to you?
Using a MAC to authenticate the message would detect the corrupted
first block.
Even if the IV is not exposed, the attacker can still tamper.
Obviously if the IV is exposed in the clear, it is the easiest to
tamper in a meaningful way, but you still want some integrity even if
the IV is not exposed.
Flipping a bit in a ciphertext block is going to destroy that
plaintext block and flip the bit in the next plaintext block. Bit
flipping can be very powerful, and I don't think "the block is
garbled" counts as integrity checking.
You should always MAC and not rely on CBC to provide integrity.
Best,
Matthew Fanto
.
- References:
- security risk of IV in plaintext CBC mode
- From: kornduff
- Re: security risk of IV in plaintext CBC mode
- From: rossum
- security risk of IV in plaintext CBC mode
- Prev by Date: Re: Interpreting the test result on a RNG
- Next by Date: Re: RSA Challenge Question
- Previous by thread: Re: security risk of IV in plaintext CBC mode
- Next by thread: Re: security risk of IV in plaintext CBC mode
- Index(es):
Relevant Pages
|
