Re: nonce length

On Tuesday 08 January 2002 10:04, Christian Geuer-Pollmann wrote:
> about the use of the IV in block encryption in CBC mode:
> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in
> CBC):
>   "While the IV in the CBC mode need not be secret, its
>    integrity should be protected, since malicious
>    modifications thereof allows an adversary to make
>    predictable bit changes to the first plaintext
>    block recovered."

Is this specified as a distinct mode from CBC? I'm most comfortable doing 
things that have been well specified and already used. So I prefer we say 
CBC IV doesn't give integrity (nor must the IV be secret) but there are 
other modes and approaches. If a CBC with ECB encrypted IVs is specified, 
reviewed, and used then I'd be interested in using that, but I'm not sure 
we should specify it... (See the new 6.3)


Joseph Reagle Jr.       
W3C Policy Analyst      
IETF/W3C XML-Signature Co-Chair
W3C XML Encryption Chair

Received on Thursday, 17 January 2002 18:28:27 UTC