W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

Re: nonce length

From: Joseph Reagle <reagle@w3.org>
Date: Thu, 17 Jan 2002 18:28:20 -0500
Message-Id: <200201172328.SAA32025@tux.w3.org>
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, blaird@microsoft.com
On Tuesday 08 January 2002 10:04, Christian Geuer-Pollmann wrote:
> about the use of the IV in block encryption in CBC mode:
> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in
> CBC):
>   "While the IV in the CBC mode need not be secret, its
>    integrity should be protected, since malicious
>    modifications thereof allows an adversary to make
>    predictable bit changes to the first plaintext
>    block recovered."

Is this specified as a distinct mode from CBC? I'm most comfortable doing 
things that have been well specified and already used. So I prefer we say 
CBC IV doesn't give integrity (nor must the IV be secret) but there are 
other modes and approaches. If a CBC with ECB encrypted IVs is specified, 
reviewed, and used then I'd be interested in using that, but I'm not sure 
we should specify it... (See the new 6.3)


Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Thursday, 17 January 2002 18:28:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:02 UTC