- From: Dan Lanz <lanz@zolera.com>
- Date: Thu, 03 Jan 2002 14:04:31 -0500
- To: xml-encryption@w3.org
Section 6.3 states: "Some encryption algorithms take an initialization vector such that an adversary modifying the IV can make a known change in the plain text after decryption. This attack can be avoided by securing the integrity of the plain text data, for example by signing it, or, for most such algorithms, by including an algorithm dependent length. A nonce at least as long as the block for CBC chaining block encryption algorithms may be adequate." It is unclear to me what "algorithm dependent length" is referring to in the second sentence. Is this referring to the possibility that the structure of CBC encryption algorithms (and perhaps others) allows blocks to be added to the end of an encrypted message w/o being detected? Additionally, I believe the final sentence should be clarified. Is this implying that a nonce would only be useful to block algorithms in CBC mode? (I realize that the specification currently lists only block encryption algorithms in CBC mode, but it appears to leave open the possibility for future specification of stream ciphers). Also, it would be useful to give a firm recommendation as to the length of the nonce that should be employed for reasonable protection against chosen plaintext attacks. Although the specification states that it should be at least as long as a CBC block for a given algorithm, does this mean that a nonce *exactly* as long as a block is sufficient? Would it be better to make it longer and, if so, how much? Dan Lanz
Received on Thursday, 3 January 2002 14:02:00 UTC