- From: Dan Lanz <lanz@zolera.com>
- Date: Tue, 08 Jan 2002 10:49:15 -0500
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- CC: xml-encryption@w3.org
"Donald E. Eastlake 3rd" wrote: > > However, based on the other message from Christian Geuer-Pollmann, I > think it should say something like > > "Some encryption algorithms take an initialization vector such that an > adversary modifying the IV can make a known change in the plain text > after decryption. This attack can be avoided by securing the > integrity of the plain text data, for example by signing it. Also, for > most such algorithms, the attack can be partially limited in scope by > including a nonce of algorithm dependent length. Prefixing with a > nonce one byte shorter than the block length for CBC chaining block > encryption algorithms limits the modifyable portion of the plain text > using this technique to the first byte." > > Donald Donald: Thanks for the clarifications, and I agree this is more clear. However, I have just a couple more questions to ensure that I understand this precisely. You state that "for most such algorithms, the attack can be partially limited in scope by including a nonce of algorithm dependent length." This statement seems to limit the utility of the nonce to just the protection against the IV attack described in the first sentence. Isn't the nonce just as useful to protect against a known plaintext attack? If so, a nonce would be useful to any symmetric algorithm (block or stream) that has feedback characteristics, correct? If this is true, could we state this explicitly along with a more general nonce length recommendation? Dan
Received on Tuesday, 8 January 2002 10:49:28 UTC