Encrypting the IV - again. Was: Re: nonce length from Christian Geuer-Pollmann on 2002-01-28 (xml-encryption@w3.org from January 2002)

From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
Date: Mon, 28 Jan 2002 23:09:13 +0100
To: reagle@w3.org, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, blaird@microsoft.com
Message-id: <2942038760.1012259353@crypto>

--On Donnerstag, 17. Januar 2002 18:28 -0500 Joseph Reagle <reagle@w3.org> 
wrote:

> On Tuesday 08 January 2002 10:04, Christian Geuer-Pollmann wrote:
>> about the use of the IV in block encryption in CBC mode:
>> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in
>> CBC):
>>
>>   "While the IV in the CBC mode need not be secret, its
>>    integrity should be protected, since malicious
>>    modifications thereof allows an adversary to make
>>    predictable bit changes to the first plaintext
>>    block recovered."
>
> Is this specified as a distinct mode from CBC? I'm most comfortable doing
> things that have been well specified and already used. So I prefer we say
> CBC IV doesn't give integrity (nor must the IV be secret) but there are
> other modes and approaches. If a CBC with ECB encrypted IVs is specified,
> reviewed, and used then I'd be interested in using that, but I'm not sure
> we should specify it... (See the new 6.3)

Hi Joseph

Well, it seems to me that I do not need obvious facts to introduce 
necessary changes into the spec but well-known names ;-((

But anyhow, after that time, I FOUND a well-known name who wrote down the 
obvious fact that encrypting the IV makes sense:

William Stallings
Cryptography and Network Security, 2nd Ed.
Page 86
ISBN 0-13-869017-0

Section 3.7 on CBC:

  "... The IV must be known to both the sender
   and the receiver. For maximum security, the
   IV should be protected as well as the key.
   This could be done by sending the IV using
   ECB encryption. One reason for protecting
   the IV is as follows: If an opponent is
   able to fool the receiver into using a
   different value for IV, then the opponent
   is able to invert selected bits in the
   first block of plaintext. "

Then follows the same attack I described several times on this list.

Now, I gave all necessary information why it'd be good and easy and nice 
and colorful and spicy and better to encrypt the IV in ECB.

Best regards,
Christian

Received on Monday, 28 January 2002 17:08:19 UTC