More info in my AES128-CBC question
Alexander Klimov
alserkli at inbox.ru
Thu Apr 26 09:14:34 EDT 2007
On Wed, 25 Apr 2007, Travis H. wrote:
> > If the IV chained across continguous messages as in SSHv2
> > then you have a problem (see above).
>
> I don't fully understand what it means to have IVs chained
> across contiguous (?) messages, as in CBC mode each ciphertext
> block forms the "IV" of the block after it, effectively;
> basically an IV is just C_0 for some stream.
The order of events is important. Consider a chosen plaintext
attack: a secret message was sent other a CBC-encrypted channel.
For example, it was a single block with padded "yes" or "no" and
the encryption is x0||x1, where x0 is a random IV and
x1 = E(x0 xor "yes"),
the attacker can now submit their message to find the secret
one. If the attacker knows that x1 is going to be used as the
next IV, they can try to submit
m = x0 xor "yes" xor x1
it will be encrypted as
x2 = E(m xor x1) = E(x0 xor "yes") = x1
so if x2 = x1 the attacker knows that "yes" was sent, otherwise
it was "no".
If the new IV is randomly selected *after* the attacker has made
his choice the attack is impossible.
--
Regards,
ASK
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list