W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

Re: nonce length

From: Dan Lanz <lanz@zolera.com>
Date: Tue, 08 Jan 2002 10:49:15 -0500
Message-ID: <3C3B14FB.2C21ED77@zolera.com>
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
CC: xml-encryption@w3.org
"Donald E. Eastlake 3rd" wrote:
> 
> However, based on the other message from Christian Geuer-Pollmann, I
> think it should say something like
> 
> "Some encryption algorithms take an initialization vector such that an
> adversary modifying the IV can make a known change in the plain text
> after decryption.  This attack can be avoided by securing the
> integrity of the plain text data, for example by signing it. Also, for
> most such algorithms, the attack can be partially limited in scope by
> including a nonce of algorithm dependent length.  Prefixing with a
> nonce one byte shorter than the block length for CBC chaining block
> encryption algorithms limits the modifyable portion of the plain text
> using this technique to the first byte."
> 
> Donald

Donald:

Thanks for the clarifications, and I agree this is more clear.
However, I have just a couple more questions to ensure that I 
understand this precisely.  You state that "for most such 
algorithms, the attack can be partially limited in scope by
including a nonce of algorithm dependent length."  This
statement seems to limit the utility of the nonce to just the
protection against the IV attack described in the first
sentence.  Isn't the nonce just as useful to protect against
a known plaintext attack?  If so, a nonce would be useful to
any symmetric algorithm (block or stream) that has feedback
characteristics, correct?  If this is true, could we state
this explicitly along with a more general nonce length
recommendation?  

Dan
Received on Tuesday, 8 January 2002 10:49:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT