- From: Donald E. Eastlake 3rd <dee3@torque.pothole.com>
- Date: Tue, 29 Jan 2002 11:00:16 -0500
- To: xml-encryption@w3.org
Perhaps I'm being a little quibbly but it is not clear to me that the
method of sending the IV is part of CBC. I don't know how much we want
to get into a discussion of chaining modes here or in the document but
CBC mode with a plain text IV like we have is stronger than ECB in
every way I can think of EXCEPT that it enables an adversary to flip
arbitrary selected bits in the first block of plain text output. ECB
encrypting the IV eliminates that weakness. Of course, we should be
advocating authenticating the plaintext, but I don't see any
particular reason to leave this weakness in our block encryption
modes.
Donald
From: Pieter Kasselman <pkasselman@baltimore.com>
Message-ID: <E7F0BE6942F1D411AFEA0002A528A8216519F3@irlms01.ie.baltimore.com>
To: "'reagle@w3.org'" <reagle@w3.org>,
Christian Geuer-Pollmann
<geuer-pollmann@nue.et-inf.uni-siegen.de>,
"Donald E. Eastlake 3rd"
<dee3@torque.pothole.com>
Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, blaird@microsoft.com
Date: Tue, 29 Jan 2002 09:35:41 -0000
>Hi Joseph, I am inclined to agree with your approach. It makes more sense to
>use chaining schemes that has already been standardised/scrutinized/vetted.
>Perhaps the right way to go about this is to propose encrypting the IV used
>with CBC mode to a standards body that deals with cryptography and let them
>standardise it (e.g. NIST has been running a series of workshops on modes of
>operation for block ciphers http://csrc.nist.gov/encryption/modes/).
>
>XML Encrypt should be flexible enough to allow for any encryption chaining
>scheme to be specified. Thus once CBC with IV encryption is standardised by
>one of these bodies, it can be used with XML Encrypt.
>
>Cheers
>
>Pieter
>
>> -----Original Message-----
>> From: Joseph Reagle [SMTP:reagle@w3.org]
>> Sent: 28 January 2002 22:55
>> To: Christian Geuer-Pollmann; Donald E. Eastlake 3rd
>> Cc: Dan Lanz; xml-encryption@w3.org; blaird@microsoft.com
>> Subject: Re: Encrypting the IV - again. Was: Re: nonce length
>>
>> On Monday 28 January 2002 17:09, Christian Geuer-Pollmann wrote:
>> > Well, it seems to me that I do not need obvious facts to introduce
>> > necessary changes into the spec but well-known names ;-((
>>
>> Hi Christian, I'm not advocating that necessarily, nor that we just need a
>>
>> reference in order to accept it. In fact, I'm not opposed to encrypting
>> the
>> IV. I'm just saying that I prefer that *this* WG not take it upon itself
>> to
>> introduce a "new mode". I'm most comfortable if the issue has
>> been addressed by others and it's been vetted/discussed/standardized, etc.
>>
>> That's that.
>>
>> So, what do others people think? Should we encrypt the IV? (If so, we'll
>> do
>> it.)
>>
>>
>> --
>>
>> Joseph Reagle Jr. http://www.w3.org/People/Reagle/
>> W3C Policy Analyst mailto:reagle@w3.org
>> IETF/W3C XML-Signature Co-Chair http://www.w3.org/Signature/
>> W3C XML Encryption Chair http://www.w3.org/Encryption/2001/
>>
>>
>>
>> This footnote confirms that this email message has been swept by
>> MIMEsweeper for the presence of computer viruses.
>
>
>-----------------------------------------------------------------------------
>Baltimore Technologies plc will not be liable for direct, special, indirect
>or consequential damages arising from alteration of the contents of this
>message by a third party or as a result of any virus being passed on.
>
>This footnote confirms that this email message has been swept by
>Baltimore MIMEsweeper for Content Security threats, including
>computer viruses.
> http://www.baltimore.com
>
Received on Tuesday, 29 January 2002 11:03:19 UTC