W3C home > Mailing lists > Public > xml-encryption@w3.org > November 2001

Re: Encrypting IV in ECB

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Sat, 10 Nov 2001 13:47:00 +0100
To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: XML Encryption WG <xml-encryption@w3.org>
Message-id: <377673231.1005400020@pinkpanther>
Hi Donald,

I think that other standards do not encrypt such higly structured data as 
we do. For example, given a schema that allows only particular attribute 
values like here:

<a v='1'/>

If we encrypt something like this, imagine the v attribute can only have 
the values '1' and '0' by the schema. In such a case, the attacker knows 
exactly on which part of the IV he has to mess around - our problem is that 
XML is not free-choosen text, but restricted by some means.

If we do something like encrypting the IV, it costs us absolutely nothing 
(but 1 block cipher algo execution), but it removes us one potential flaw.

Yes, I agree that we say: "We only provide the security service 
'confidentiality' and do _not_ provide 'integrity'. The user has to use XML 
Signature for integrity." But in this case, I think it makes 
cryptographically sense to add something like this.


--On Samstag, 10. November 2001 00:17 -0500 "Donald E. Eastlake 3rd" 
<dee3@torque.pothole.com> wrote:

> While this doesn't seem like such a bad idea, I'm not aware of any
> other standards that do this and I'm not sure we should be the first.
> This just seems like another case where you want a message integrity
> check or signature inside the encryption.
> Donald
> From:  Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
> To:  XML Encryption WG <xml-encryption@w3.org>
>> about the use of the IV in block encryption in CBC mode:
>> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in
>> CBC):
>>  "While the IV in the CBC mode need not be secret, its
>>   integrity should be protected, since malicious
>>   modifications thereof allows an adversary to make
>>   predictable bit changes to the first plaintext
>>   block recovered."
>> Suggestion:
>> If we encrypt the IV in Electronic Codebook Mode (ECB), we ensure that
>> modifications on the bit layer will break decryption of the complete
>> block.
>>  "ALGORITHM is used in the Cipher Block Chaining
>>   (CBC) mode with a ALGO_KEY_BIT_LENGTH bit
>>   Initialization Vector (IV). <ADD>The IV is
>>   encrypted in ECB mode.</ADD> The resulting
>>   cipher text is prefixed by the
>>   <ADD>encrypted</ADD> IV."
>> Does this make sense to you?
>> Best regards,
>> Christian
>> [Menezes/Orschoot/Vanstone] Handbook of applied cryptography, page 230
Received on Saturday, 10 November 2001 07:44:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:05 UTC