- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Mon, 28 Jan 2002 23:09:13 +0100
- To: reagle@w3.org, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>
- Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, blaird@microsoft.com
--On Donnerstag, 17. Januar 2002 18:28 -0500 Joseph Reagle <reagle@w3.org> wrote: > On Tuesday 08 January 2002 10:04, Christian Geuer-Pollmann wrote: >> about the use of the IV in block encryption in CBC mode: >> [Menezes/Orschoot/Vanstone] state in Remark 7.16 (integrity if IV in >> CBC): >> >> "While the IV in the CBC mode need not be secret, its >> integrity should be protected, since malicious >> modifications thereof allows an adversary to make >> predictable bit changes to the first plaintext >> block recovered." > > Is this specified as a distinct mode from CBC? I'm most comfortable doing > things that have been well specified and already used. So I prefer we say > CBC IV doesn't give integrity (nor must the IV be secret) but there are > other modes and approaches. If a CBC with ECB encrypted IVs is specified, > reviewed, and used then I'd be interested in using that, but I'm not sure > we should specify it... (See the new 6.3) Hi Joseph Well, it seems to me that I do not need obvious facts to introduce necessary changes into the spec but well-known names ;-(( But anyhow, after that time, I FOUND a well-known name who wrote down the obvious fact that encrypting the IV makes sense: William Stallings Cryptography and Network Security, 2nd Ed. Page 86 ISBN 0-13-869017-0 Section 3.7 on CBC: "... The IV must be known to both the sender and the receiver. For maximum security, the IV should be protected as well as the key. This could be done by sending the IV using ECB encryption. One reason for protecting the IV is as follows: If an opponent is able to fool the receiver into using a different value for IV, then the opponent is able to invert selected bits in the first block of plaintext. " Then follows the same attack I described several times on this list. Now, I gave all necessary information why it'd be good and easy and nice and colorful and spicy and better to encrypt the IV in ECB. Best regards, Christian
Received on Monday, 28 January 2002 17:08:19 UTC