- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Sat, 10 Nov 2001 13:47:00 +0100
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: XML Encryption WG <xml-encryption@w3.org>
Hi Donald, I think that other standards do not encrypt such higly structured data as we do. For example, given a schema that allows only particular attribute values like here: <a v='1'/> If we encrypt something like this, imagine the v attribute can only have the values '1' and '0' by the schema. In such a case, the attacker knows exactly on which part of the IV he has to mess around - our problem is that XML is not free-choosen text, but restricted by some means. If we do something like encrypting the IV, it costs us absolutely nothing (but 1 block cipher algo execution), but it removes us one potential flaw. Yes, I agree that we say: "We only provide the security service 'confidentiality' and do _not_ provide 'integrity'. The user has to use XML Signature for integrity." But in this case, I think it makes cryptographically sense to add something like this. Christian --On Samstag, 10. November 2001 00:17 -0500 "Donald E. Eastlake 3rd" <dee3@torque.pothole.com> wrote: > While this doesn't seem like such a bad idea, I'm not aware of any > other standards that do this and I'm not sure we should be the first. > This just seems like another case where you want a message integrity > check or signature inside the encryption. > > Donald > > From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de> > To: XML Encryption WG <xml-encryption@w3.org> > >> about the use of the IV in block encryption in CBC mode: >> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in >> CBC): >> >> "While the IV in the CBC mode need not be secret, its >> integrity should be protected, since malicious >> modifications thereof allows an adversary to make >> predictable bit changes to the first plaintext >> block recovered." >> >> Suggestion: >> >> If we encrypt the IV in Electronic Codebook Mode (ECB), we ensure that >> modifications on the bit layer will break decryption of the complete >> block. >> >> "ALGORITHM is used in the Cipher Block Chaining >> (CBC) mode with a ALGO_KEY_BIT_LENGTH bit >> Initialization Vector (IV). <ADD>The IV is >> encrypted in ECB mode.</ADD> The resulting >> cipher text is prefixed by the >> <ADD>encrypted</ADD> IV." >> >> Does this make sense to you? >> >> Best regards, >> Christian >> >> [Menezes/Orschoot/Vanstone] Handbook of applied cryptography, page 230
Received on Saturday, 10 November 2001 07:44:30 UTC