- From: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
- Date: Tue, 29 Jan 2002 18:02:01 +0100
- To: "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, xml-encryption@w3.org
Hi Don, hi Pieter, Don, you're right. Encrypting the IV is NOT a new mode or something like this. In particular, the specifications do not say how the IV is transported. This whole discussion does not try to invent a new mode or something like this but only to make a tweak outside. Pieter, what we do by saying either "the IV is prepended to the plaintext" or "it encrypted IV is prepended to the plaintext" is only a serialization issue outside of the scope of all documents which describe modes. Best regards, Christian --On Dienstag, 29. Januar 2002 11:00 -0500 "Donald E. Eastlake 3rd" <dee3@torque.pothole.com> wrote: > > Perhaps I'm being a little quibbly but it is not clear to me that the > method of sending the IV is part of CBC. I don't know how much we want > to get into a discussion of chaining modes here or in the document but > CBC mode with a plain text IV like we have is stronger than ECB in > every way I can think of EXCEPT that it enables an adversary to flip > arbitrary selected bits in the first block of plain text output. ECB > encrypting the IV eliminates that weakness. Of course, we should be > advocating authenticating the plaintext, but I don't see any > particular reason to leave this weakness in our block encryption > modes. > > Donald > > From: Pieter Kasselman <pkasselman@baltimore.com> > Message-ID: > <E7F0BE6942F1D411AFEA0002A528A8216519F3@irlms01.ie.baltimore.com> To: > "'reagle@w3.org'" <reagle@w3.org>, > Christian Geuer-Pollmann > <geuer-pollmann@nue.et-inf.uni-siegen.de>, > "Donald E. Eastlake 3rd" > <dee3@torque.pothole.com> > Cc: Dan Lanz <lanz@zolera.com>, xml-encryption@w3.org, > blaird@microsoft.com Date: Tue, 29 Jan 2002 09:35:41 -0000 > >> Hi Joseph, I am inclined to agree with your approach. It makes more >> sense to use chaining schemes that has already been >> standardised/scrutinized/vetted. Perhaps the right way to go about this >> is to propose encrypting the IV used with CBC mode to a standards body >> that deals with cryptography and let them standardise it (e.g. NIST has >> been running a series of workshops on modes of operation for block >> ciphers http://csrc.nist.gov/encryption/modes/). >> >> XML Encrypt should be flexible enough to allow for any encryption >> chaining scheme to be specified. Thus once CBC with IV encryption is >> standardised by one of these bodies, it can be used with XML Encrypt. >> >> Cheers >> >> Pieter >> >>> -----Original Message----- >>> From: Joseph Reagle [SMTP:reagle@w3.org] >>> Sent: 28 January 2002 22:55 >>> To: Christian Geuer-Pollmann; Donald E. Eastlake 3rd >>> Cc: Dan Lanz; xml-encryption@w3.org; blaird@microsoft.com >>> Subject: Re: Encrypting the IV - again. Was: Re: nonce length >>> >>> On Monday 28 January 2002 17:09, Christian Geuer-Pollmann wrote: >>> > Well, it seems to me that I do not need obvious facts to introduce >>> > necessary changes into the spec but well-known names ;-(( >>> >>> Hi Christian, I'm not advocating that necessarily, nor that we just >>> need a >>> >>> reference in order to accept it. In fact, I'm not opposed to encrypting >>> the >>> IV. I'm just saying that I prefer that *this* WG not take it upon itself >>> to >>> introduce a "new mode". I'm most comfortable if the issue has >>> been addressed by others and it's been vetted/discussed/standardized, >>> etc. >>> >>> That's that. >>> >>> So, what do others people think? Should we encrypt the IV? (If so, we'll >>> do it.)
Received on Tuesday, 29 January 2002 12:06:28 UTC