W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

Re: IV (some input for you)

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 17 Jan 2002 18:22:43 -0500
Message-Id: <200201172322.SAA30137@tux.w3.org>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Cc: XML Encryption WG <xml-encryption@w3.org>, "Eastlake <Donald.Eastlake@motorola.com>" <dee3@torque.pothole.com>
I've removed the nonce and rewrote the Nonce/IV section.
$Revision: 1.110 $ on $Date: 2002/01/17 23:00:43 $

(Don, what did you mean by, "by including an algorithm dependent length." 
That sentence seems to be missing something.)

On Monday 14 January 2002 16:44, Christian Geuer-Pollmann wrote:
> No, it does not matter whether you use a random number or a counter, it
> must only be unique. 

It's best if its random (or close to it). See the Security considerations 
  The ESP DES-CBC Cipher Algorithm With Explicit IV
  A concrete security treatment of symmetric encryption: 
  Analysis of the DES modes of operation. 

>The integrity can only be guaranteed if you keep the
> IV secret (by encrypting it) or - of course - if you have a hard
> integrity check like XML Signature.

You have claimed integrity can be obtained under CBC by encrypting the IV; 
Don (seems to have) claimed this is possible by including an "algorithm 
dependent length". I've noted IACBC and CBC-MAC but I would just prefer to 
say that CBC doesn't require the IV be secret, though other modes might. 
(Please see the new 6.3).


Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Thursday, 17 January 2002 18:22:46 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:02 UTC