Re: Encrypting the IV - again. Was: Re: nonce length

Mike, the Editors' copy does say the following, let me know if your 
proposed text is intended to replace it (you want more detail) or if you 
were unaware of the latest text and find it satisfactory:

http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/Overview.html#sec-Nonce
... 
For the Cipher Block Chaining (CBC) mode used by this specification the IV 
must be non-repeating under a key and should be random, but it need not be 
secret. Additionally, under this mode an adversary modifying the IV can 
make a known change in the plain text after decryption. This attack can be 
avoided by securing the integrity of the plain text data, for example by 
signing it.

On Thursday 31 January 2002 08:44, Mike Just wrote:
> I suggest that no requirements be changed, but that something like the
> following be added to the Security Considerations section:
> "Modification of the IV by an attacker allows predictable bit changes to
> be made to the first plaintext block upon decryption. Similarly,
> modification to ciphertext block Ci causes plaintext blocks Mi and Mi+1
> to be altered upon decryption. As always, if integrity of the plaintext
> is desired, then one should use an appropriate algorithm from XML DigSig
> computed over the plaintext."

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/

Received on Friday, 1 February 2002 11:37:45 UTC