[146991] in cryptography@c2.net mail archive
Re: [Cryptography] Availability of plaintext/ciphertext pairs (was
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Tue Sep 10 18:53:32 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <20130910174925.7075ba9c@jabberwock.cb.piermont.com>
Date: Tue, 10 Sep 2013 18:36:38 -0400
To: "Perry E. Metzger" <perry@piermont.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 10, 2013, at 5:49 PM, "Perry E. Metzger" <perry@piermont.com> wrote:
>> Phil Rogoway has a paper somewhere discussing the right way to
>> implement cryptographic modes and API's.
>
> It would be useful to get a URL for it.
>
>> In particular, he recommends changing the definition of CBC...to
>>
>> E_0 = E(IV) # Not transmitted
>> E_{i+1} = E(E_i XOR P_{i+1})
>
> You make no mention there of whether the key used to encrypt the IV
> is the same as that used for the plaintext.
As I recall the proposal, it was the same key. (Generating a different one for this purpose is pointless - it would have to be random, in which case you might as well generate the IV randomly.)
> I presume if you need a lot of IVs (see protocols like IPsec), and have enough key material, a second key might be of value for that -- but I don't know what all the ins and outs are, and would prefer to read the literature...
I searched around but couldn't find it; the proposal apparently was not Rogoway's. It apparently appears in NIST 800-38A (2001), with no citation. In searching around, I came across a recent, unpublished paper by Rogoway: http://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf
That paper - which does detailed analyses of a large number of modes - indicates that more recent work has shown that this technique for choosing an IV is *not* secure (against a certain class of attacks) and recommends against using it.
I highly recommend that paper. In fact, I highly recommend everything Rogoway has written. We've been discussing authentication and session key exchange - he and Bellare wrote about the problem in 1993 http://cseweb.ucsd.edu/users/mihir/papers/eakd.pdf giving provably secure algorithms for the 2-party case, and two years later http://www.cs.ucdavis.edu/~rogaway/papers/3pkd.pdf extending the work to the 3-party case.
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography