- From: Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>
- Date: Wed, 5 Dec 2001 16:39:17 -0500
- To: "'xml-encryption@w3.org'" <xml-encryption@w3.org>
- Cc: Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>
I suggest the current paragraph be replaced with the three new paragraphs below. Donald OLD: The optional Nonce attribute specifies the presence and length of a nonce value that is prepended to the plain text. A nonce is a value (used only once) that is combined with the plain text being encrypted in order to increase its entropy; this prevents "dictionary attacks" that encrypt "some known plain text phrase with all possible keys so that the key for any given encrypted message containing that phrase may be obtained by lookup." [Glossary]. Given that data is often redundant (e.g., XML) and that attackers may know the data's structure, applications are RECOMMENDED to encrypt data with high entropy, either by its own nature or by use of the Nonce attribute. NEW: The optional Nonce attribute specifies the presence and length of a nonce value that is prepended to the plain text. A nonce is a value (used only once) that is combined with the plain text being encrypted in order to increase its entropy and, for some encryption algorithms, to protect against initialization vector attacks. Increasing entropy prevents "dictionary attacks" that encrypt "all the words in some large, exhaustive list." [RFC2828]. Given that data is often redundant (e.g., XML) and that attackers may know the data's structure, applications are RECOMMENDED to encrypt data with high entropy, either by its own nature or by use of the Nonce attribute. Some encryption algorithms take an initialization vector (IV) such that an adversary modifying the IV can make a known change in the plain text after decryption. This attack can be avoided by securing the integrity of the plain text data, for example by signing it, or, for most such algorithms, by including an algorithm dependent length. A nonce at least as long as the block for CBC chaining block encryption algorithms may be adequate.
Received on Wednesday, 5 December 2001 16:41:13 UTC