W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

nonce length

From: Dan Lanz <lanz@zolera.com>
Date: Thu, 03 Jan 2002 14:04:31 -0500
Message-ID: <3C34AB3F.F6F3215B@zolera.com>
To: xml-encryption@w3.org
Section 6.3 states: "Some encryption algorithms take an
initialization vector such that an adversary modifying the
IV can make a known change in the plain text after decryption.
This attack can be avoided by securing the integrity of the
plain text data, for example by signing it, or, for most
such algorithms, by including an algorithm dependent length.
A nonce at least as long as the block for CBC chaining block
encryption algorithms may be adequate."

It is unclear to me what "algorithm dependent length" is
referring to in the second sentence.  Is this referring to 
the possibility that the structure of CBC encryption 
algorithms (and perhaps others) allows blocks to be added to 
the end of an encrypted message w/o being detected? 

Additionally, I believe the final sentence should be
clarified.  Is this implying that a nonce would only be useful
to block algorithms in CBC mode?  (I realize that the 
specification currently lists only block encryption algorithms 
in CBC mode, but it appears to leave open the possibility for
future specification of stream ciphers).  Also, it would be
useful to give a firm recommendation as to the length of the
nonce that should be employed for reasonable protection against
chosen plaintext attacks.  Although the specification states 
that it should be at least as long as a CBC block for a given 
algorithm, does this mean that a nonce *exactly* as long as a 
block is sufficient?  Would it be better to make it longer
and, if so, how much?

Dan Lanz
Received on Thursday, 3 January 2002 14:02:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT