- From: Fritz Schneider <fritz@cs.ucsd.edu>
- Date: Wed, 30 Jan 2002 11:19:00 -0800 (PST)
- To: Blair Dillaway <blaird@microsoft.com>
- cc: <xml-encryption@w3.org>
On Wed, 30 Jan 2002, Blair Dillaway wrote: > P.S. I have also pinged a couple of cryptographers about this issue > and the response was a uniform - "Why, what are you gaining?". I must admit that I've been following this discussion with a bit of puzzlement for exactly the reason quoted above. The bottom line is that CBC was not designed to guarantee integrity or authenticity -- period. It was designed for privacy. Given this, I'm not sure why a discussion of integrity is entering the picture. While it might give you a *small* measure of confidence to use CBC with an encrypted IV, the "confidence" you gain is really an illusion. There is still no guarantee of integrity. If integrity is desired then there are well-known, well-studied constructions designed specifically for that purpose... constructions for which proofs of security exist. In addition there are (relatively) well-known, well-studied modes of encryption that simultaneously guarantee privacy _and_ integrity... and such modes of encryption come with proofs of security rather than ad hoc arguments. As has been noted on several occasions, using encrypted-IV CBC is probably a Good Thing in practice. But I think it would be a mistake suggest that encrypting the IV provides any real measure of integrity. -- fritz ps I've been lurking on the list for several months but this is my my first post. Pardon me if I am out of turn here...
Received on Wednesday, 30 January 2002 14:19:03 UTC