W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

Re: nonce length

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 17 Jan 2002 18:28:20 -0500
Message-Id: <200201172328.SAA32025@tux.w3.org>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, blaird@microsoft.com
On Tuesday 08 January 2002 10:04, Christian Geuer-Pollmann wrote:
> about the use of the IV in block encryption in CBC mode:
> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in
> CBC):
>
>   "While the IV in the CBC mode need not be secret, its
>    integrity should be protected, since malicious
>    modifications thereof allows an adversary to make
>    predictable bit changes to the first plaintext
>    block recovered."

Is this specified as a distinct mode from CBC? I'm most comfortable doing 
things that have been well specified and already used. So I prefer we say 
CBC IV doesn't give integrity (nor must the IV be secret) but there are 
other modes and approaches. If a CBC with ECB encrypted IVs is specified, 
reviewed, and used then I'd be interested in using that, but I'm not sure 
we should specify it... (See the new 6.3)

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Thursday, 17 January 2002 18:28:27 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:20 GMT