W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2001

Re: Encrypting IV in ECB

From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
Date: Sat, 10 Nov 2001 00:17:43 -0500
Message-Id: <200111100517.AAA0000101867@torque.pothole.com>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
cc: XML Encryption WG <xml-encryption@w3.org>

While this doesn't seem like such a bad idea, I'm not aware of any
other standards that do this and I'm not sure we should be the first.
This just seems like another case where you want a message integrity
check or signature inside the encryption.

Donald

From:  Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date:  Sat, 03 Nov 2001 11:27:53 +0100
To:  XML Encryption WG <xml-encryption@w3.org>
Cc:  Joseph Reagle <reagle@w3.org>
Message-id:  <4059493363.1004786873@pinkpanther>

>Hi all,
>
>about the use of the IV in block encryption in CBC mode: 
>[Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in CBC):
>
>  "While the IV in the CBC mode need not be secret, its
>   integrity should be protected, since malicious
>   modifications thereof allows an adversary to make
>   predictable bit changes to the first plaintext
>   block recovered."
>
>Suggestion:
>
>If we encrypt the IV in Electronic Codebook Mode (ECB), we ensure that 
>modifications on the bit layer will break decryption of the complete block.
>
>  "ALGORITHM is used in the Cipher Block Chaining
>   (CBC) mode with a ALGO_KEY_BIT_LENGTH bit
>   Initialization Vector (IV). <ADD>The IV is
>   encrypted in ECB mode.</ADD> The resulting
>   cipher text is prefixed by the
>   <ADD>encrypted</ADD> IV."
>
>Does this make sense to you?
>
>Best regards,
>Christian
>
>[Menezes/Orschoot/Vanstone] Handbook of applied cryptography, page 230
>
Received on Saturday, 10 November 2001 00:20:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:19 GMT