W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

IV (some input for you)

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Mon, 14 Jan 2002 21:31:09 +0100
To: XML Encryption WG <xml-encryption@w3.org>
Message-ID: <1726555348.1011043869@pinkpanther>
Hi,

just to summarize about IV, CBC and that stuff. Everything written in this 
mail can be read in [1] (download it - it's worth it).

<CITE>
7.13 Algorithm CBC mode of operation: Properties of the CBC mode of 
operation:

1. Identical plaintexts: identical ciphertext blocks
   result when the same plaintext is enciphered
   under the same key and IV . Changing the IV ,
   key, or first plaintext block (e.g., using a counter
   or random field) results in different ciphertext.
</CITE>

This means even if you use the IV in counter mode (1st IV = 0x00000001, 2nd 
IV = 0x00000002) and not as a randomized array, a dictionary attack 
_IS_NOT_POSSIBLE_.

<CITE>
7.16 Remark (integrity of IV in CBC)

While the IV in the CBC mode need not be secret, its integrity should be 
protected, since malicious modification thereof allows an adversary to make 
predictable bit changes to the first plaintext block recovered. Using a 
secret IV is one method for preventing this. However, if message integrity 
is required, an appropriate mechanism should be used (see x9.6.5); 
encryption mechanisms typically guarantee confidentiality only.
</CITE>

To keep the IC secret, encrypt it in ECB. But hey - is ECB secure?

<CITE>
7.12 Remark (use of ECB mode)

Since ciphertext blocks are independent, malicious substitution of ECB 
blocks (e.g., insertion of a frequently occurring block) does not affect 
the decryption of adjacent blocks. Furthermore, block ciphers do not hide 
data patterns - identical ciphertext blocks imply identical plaintext 
blocks. For this reason, the ECB mode is not recommended for messages 
longer than one block, or if keys are reused for more than a single 
one-block message. Security may be improved somewhat by inclusion of random 
padding bits in each block.
</CITE>

Christian

[1] http://www.cacr.math.uwaterloo.ca/hac/about/chap7.pdf
Received on Monday, 14 January 2002 15:27:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:06 UTC