Re: nonce length

Hi,

From:  Dan Lanz <lanz@zolera.com>
Message-ID:  <3C34AB3F.F6F3215B@zolera.com>
Date:  Thu, 03 Jan 2002 14:04:31 -0500
Organization:  Zolera Systems, Inc.

>Section 6.3 states: "Some encryption algorithms take an
>initialization vector such that an adversary modifying the
>IV can make a known change in the plain text after decryption.
>This attack can be avoided by securing the integrity of the
>plain text data, for example by signing it, or, for most
>such algorithms, by including an algorithm dependent length.

Should have been "... by including a nonce of algorithm dependent
length." Except this isn't true...

>A nonce at least as long as the block for CBC chaining block
>encryption algorithms may be adequate."

Should have said "Prefixing with a nonce at least as long the ..."

>It is unclear to me what "algorithm dependent length" is
>referring to in the second sentence.  Is this referring to 
>the possibility that the structure of CBC encryption 
>algorithms (and perhaps others) allows blocks to be added to 
>the end of an encrypted message w/o being detected? 

Nope, it is just that by tweaking the IV you can make known changes in
the first block of the decyrpted plain text.

>Additionally, I believe the final sentence should be
>clarified.  Is this implying that a nonce would only be useful
>to block algorithms in CBC mode?  (I realize that the 
>specification currently lists only block encryption algorithms 
>in CBC mode, but it appears to leave open the possibility for
>future specification of stream ciphers).  Also, it would be
>useful to give a firm recommendation as to the length of the
>nonce that should be employed for reasonable protection against
>chosen plaintext attacks.  Although the specification states 
>that it should be at least as long as a CBC block for a given 
>algorithm, does this mean that a nonce *exactly* as long as a 
>block is sufficient?  Would it be better to make it longer
>and, if so, how much?

The text is hinting that there is probably some way to add nonce
material in a removable fashion to fix this problem for most
algorithms that are afflicted by it.

>Dan Lanz

However, based on the other message from Christian Geuer-Pollmann, I
think it should say something like

"Some encryption algorithms take an initialization vector such that an
adversary modifying the IV can make a known change in the plain text
after decryption.  This attack can be avoided by securing the
integrity of the plain text data, for example by signing it. Also, for
most such algorithms, the attack can be partially limited in scope by
including a nonce of algorithm dependent length.  Prefixing with a
nonce one byte shorter than the block length for CBC chaining block
encryption algorithms limits the modifyable portion of the plain text
using this technique to the first byte."

Donald

Received on Tuesday, 8 January 2002 09:47:57 UTC