W3C home > Mailing lists > Public > xml-encryption@w3.org > January 2002

RE: Encrypting the IV - again. Was: Re: nonce length

From: Fritz Schneider <fritz@cs.ucsd.edu>
Date: Wed, 30 Jan 2002 16:06:46 -0800 (PST)
To: Christian Geuer-Pollmann <geuer-pollmann@nue.et-inf.uni-siegen.de>
cc: Blair Dillaway <blaird@microsoft.com>, "Donald E. Eastlake 3rd" <dee3@torque.pothole.com>, <reagle@w3.org>, <xml-encryption@w3.org>
Message-ID: <Pine.GSO.4.33.0201301434360.25444-100000@beowulf.ucsd.edu>
On Wed, 30 Jan 2002, Christian Geuer-Pollmann wrote:

> That's right. If the application has the requirement for integrity,
> XML Signature SHOULD be used. Encrypting the IV does not guarantee the
> integrity, it's not signcryption. I never promised that. But - shall
> we really use some sub-optimal solution? Transfer the IV unencrypted
> even if the vulnerabilities are obvious? I'd say no!

	I'd say yes. Consider the following observation:

 * If the user IS concerned about integrity then a MAC or digital
   signature must be used because an encrypted IV is not sufficient.
   So the encryption of the IV will be extra work that gains the user
   nothing -- they're already getting a much better integrity guarantee
   from their MAC or signature.

 * If the user IS NOT concerned about integrity then the encryption
   of the IV is extra work that gains the user nothing (because they
   don't care about integrity).

Any way I look at it it seems to me that encrypting the IV is superfluous.

-- fritz
Received on Wednesday, 30 January 2002 19:07:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 23:13:07 UTC