- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Mon, 14 Jan 2002 21:31:09 +0100
- To: XML Encryption WG <xml-encryption@w3.org>
Hi, just to summarize about IV, CBC and that stuff. Everything written in this mail can be read in [1] (download it - it's worth it). <CITE> 7.13 Algorithm CBC mode of operation: Properties of the CBC mode of operation: 1. Identical plaintexts: identical ciphertext blocks result when the same plaintext is enciphered under the same key and IV . Changing the IV , key, or first plaintext block (e.g., using a counter or random field) results in different ciphertext. </CITE> This means even if you use the IV in counter mode (1st IV = 0x00000001, 2nd IV = 0x00000002) and not as a randomized array, a dictionary attack _IS_NOT_POSSIBLE_. <CITE> 7.16 Remark (integrity of IV in CBC) While the IV in the CBC mode need not be secret, its integrity should be protected, since malicious modification thereof allows an adversary to make predictable bit changes to the first plaintext block recovered. Using a secret IV is one method for preventing this. However, if message integrity is required, an appropriate mechanism should be used (see x9.6.5); encryption mechanisms typically guarantee confidentiality only. </CITE> To keep the IC secret, encrypt it in ECB. But hey - is ECB secure? <CITE> 7.12 Remark (use of ECB mode) Since ciphertext blocks are independent, malicious substitution of ECB blocks (e.g., insertion of a frequently occurring block) does not affect the decryption of adjacent blocks. Furthermore, block ciphers do not hide data patterns - identical ciphertext blocks imply identical plaintext blocks. For this reason, the ECB mode is not recommended for messages longer than one block, or if keys are reused for more than a single one-block message. Security may be improved somewhat by inclusion of random padding bits in each block. </CITE> Christian [1] http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf
Received on Monday, 14 January 2002 15:27:50 UTC