W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

RE: Encrypting the IV - again. Was: Re: nonce length

From: Fritz Schneider <fritz@cs.ucsd.edu>
Date: Wed, 30 Jan 2002 11:19:00 -0800 (PST)
To: Blair Dillaway <blaird@microsoft.com>
cc: <xml-encryption@w3.org>
Message-ID: <Pine.GSO.4.33.0201301029270.25444-100000@beowulf.ucsd.edu>
On Wed, 30 Jan 2002, Blair Dillaway wrote:

> P.S. I have also pinged a couple of cryptographers about this issue
> and the response was a uniform - "Why, what are you gaining?".

	I must admit that I've been following this discussion with a bit
of puzzlement for exactly the reason quoted above. The bottom line is that
CBC was not designed to guarantee integrity or authenticity -- period. It
was designed for privacy. Given this, I'm not sure why a discussion of
integrity is entering the picture. While it might give you a *small*
measure of confidence to use CBC with an encrypted IV, the "confidence"
you gain is really an illusion. There is still no guarantee of integrity.
	If integrity is desired then there are well-known, well-studied
constructions designed specifically for that purpose... constructions for
which proofs of security exist. In addition there are (relatively)
well-known, well-studied modes of encryption that simultaneously guarantee
privacy _and_ integrity... and such modes of encryption come with proofs
of security rather than ad hoc arguments.
	As has been noted on several occasions, using encrypted-IV CBC is
probably a Good Thing in practice. But I think it would be a mistake
suggest that encrypting the IV provides any real measure of integrity.

-- fritz

  ps  I've been lurking on the list for several months but this is my
  my first post. Pardon me if I am out of turn here...
Received on Wednesday, 30 January 2002 14:19:03 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:32:03 UTC