Re: Initializatin Vector schedule



Greg Rose wrote:
In article <1c212e07abd1229c21fc82fa900ada4f@xxxxxxxxxxxxxxxxxxxxxxxx>,
Anonymous <nobody@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
[...]
So code examples like this one:

http://www.obviex.com/samples/Encryption.aspx

really suck since they don't show that after the first call to
Encrypt(), all subsequent calls to Encrypt() need to have the
ciphertext of the previous call inserted in the IV parameter. Correct?

NO! This is exactly the bug that bit TLS 1.0.
The ciphertext from the previous call can be
assumed known to an attacker. It should create
a new random(-looking) IV for each call.

I think the problem here is the definition of "call". You don't need a
new random IV for each 128-bit block of plaintext. That would be insane,
and I don't think that is what you're saying (but it might be read as such).

If you're in a scenario where the attacker can inject plaintext into the
middle of your stream (like in BEAST) then you need a new IV for each
"message" (or packet, or...) where a message is a contiguous sequence of
blocks from the same source.

But I think we all agree here, I just wanted to make it extra clear...

--
Paulo Marques
Software Development Department - Grupo PIE, S.A.
Phone: +351 252 290600, Fax: +351 252 290601
Web: www.grupopie.com

"There cannot be a crisis today; my schedule is already full."
.



Relevant Pages

  • Re: Initializatin Vector schedule
    ... Encrypt(), all subsequent calls to Encryptneed to have the ... ciphertext of the previous call inserted in the IV parameter. ... If you're in a scenario where the attacker can inject plaintext into the ...
    (sci.crypt)
  • Re: Need secure block cipher for 96 bits of block size
    ... AES need 128 bits data blocks. ... If you need to send exactly 96 bits of ciphertext for 96 bits of plaintext ... Encrypt the first 64 bits of plaintext to give a first 64-bit block. ... To decrypt you first decrypt the second block, and append the last 32 bits ...
    (sci.crypt)
  • Re: Strongest encryption algorithm
    ... attacks have a complexity, the algorithm where the lowest complexity attack ... Before you can define the strengh of a cryptosystem by its complexity ... in this case it is incorrect to assume that the attacker can ... encrypt test messeges with the same key as the data was encrypted with. ...
    (sci.crypt)
  • Re: Needle in a haystack--or is this just stupid?
    ... I plan to encrypt them on disk with a symmetric ... However now suppose I'm worried that an attacker may simply ... >> disk I stored thousands of encrypted dummy files, ... adaptive chosen plaintext since once they steal my disk I'm not going ...
    (sci.crypt)
  • Re: Strongest encryption algorithm
    ... encrypt test messeges with the same key as the data was encrypted with. ... The best that attacker can hope for is to encrypt a messege of his ... This requires a source of entropy during encryption, ... you have no clue about cryptography at all. ...
    (sci.crypt)