- From: Joseph Reagle <reagle@w3.org>
- Date: Thu, 17 Jan 2002 18:22:43 -0500
- To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Cc: XML Encryption WG <xml-encryption@w3.org>, "Eastlake <Donald.Eastlake@motorola.com>" <dee3@torque.pothole.com>
I've removed the nonce and rewrote the Nonce/IV section. [ http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/#sec-Nonce $Revision: 1.110 $ on $Date: 2002/01/17 23:00:43 $ ] (Don, what did you mean by, "by including an algorithm dependent length." That sentence seems to be missing something.) On Monday 14 January 2002 16:44, Christian Geuer-Pollmann wrote: > No, it does not matter whether you use a random number or a counter, it > must only be unique. It's best if its random (or close to it). See the Security considerations of The ESP DES-CBC Cipher Algorithm With Explicit IV http://www.ietf.org/rfc/rfc2405.txt and A concrete security treatment of symmetric encryption: Analysis of the DES modes of operation. http://www.cs.ucdavis.edu/~rogaway/papers/index.html >The integrity can only be guaranteed if you keep the > IV secret (by encrypting it) or - of course - if you have a hard > integrity check like XML Signature. You have claimed integrity can be obtained under CBC by encrypting the IV; Don (seems to have) claimed this is possible by including an "algorithm dependent length". I've noted IACBC and CBC-MAC but I would just prefer to say that CBC doesn't require the IV be secret, though other modes might. (Please see the new 6.3). -- Joseph Reagle Jr. http://www.w3.org/People/Reagle/ W3C Policy Analyst mailto:reagle@w3.org IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/ W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
Received on Thursday, 17 January 2002 18:22:46 UTC