[147052] in cryptography@c2.net mail archive
[Cryptography] Killing two IV related birds with one stone
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Wed Sep 11 18:51:24 2013
X-Original-To: cryptography@metzdowd.com
Date: Wed, 11 Sep 2013 18:51:16 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
It occurs to me that specifying IVs for CBC mode in protocols
like IPsec, TLS, etc. be generated by using a block cipher in counter
mode and that the IVs be implicit rather than transmitted kills two
birds with one stone.
The first bird is the obvious one: we now know IVs are unpredictable
and will not repeat.
The second bird is less obvious: we've just gotten rid of a covert
channel for malicious hardware to leak information.
Note that if you still transmit the IVs, a misimplemented client
could still interoperate with a malicious counterparty that did not
use the enforced method for IV calculation. If you don't transmit
the IVs at all but calculate them, the system will not interoperate if
the implicit IVs aren't calculated the same way by both sides, thus
ensuring that the covert channel is closed.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
