[87957] in cryptography@c2.net mail archive
Re: More info in my AES128-CBC question
daemon@ATHENA.MIT.EDU (Leichter, Jerry)
Wed May 9 18:47:16 2007
Date: Wed, 9 May 2007 18:04:20 -0400 (EDT)
From: "Leichter, Jerry" <leichter_jerrold@emc.com>
To: Thor Lancelot Simon <tls@rek.tjls.com>
cc: cryptography@metzdowd.com
In-Reply-To: <20070509193544.GA15594@panix.com>
| > > Frankly, for SSH this isn't a very plausible attack, since it's not
| > > clear how you could force chosen plaintext into an SSH session between
| > > messages. A later paper suggested that SSL is more vulnerable:
| > > A browser plugin can insert data into an SSL protected session, so
| > > might be able to cause information to leak.
| >
| > Hmm, what about IPSec? Aren't most of the cipher suites used there
| > CBC mode?
|
| ESP does not chain blocks across packets. One could produce an ESP
| implementation that did so, but there is really no good reason for
| that, and as has been widely discussed, an implementation SHOULD use
| a PRNG to generate the IV for each packet.
I hope it's a cryptographically secure PRNG. The attack doesn't require
any particular IV, just one known to an attacker ahead of time.
However, cryptographically secure RNG's are typically just as expensive
as doing a block encryption. So why not just encrypt the IV once with
the session key before using it? (This is the equivalent of pre-pending
a block of all 0's to each packet.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
