More info in my AES128-CBC question

Nicolas Williams Nicolas.Williams at sun.com
Mon Apr 23 11:11:11 EDT 2007


On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote:
> No, there will be message integrity. For those of you asking, here's  
> a high level overview of the protocol is as follows:

> [...]

> 3) Data needing confidentiality is encrypted with the SK in the mode  
> selected in step 1. The message is integrity protected with MK. A new  
> MK is generated after a message is sent using MK(i+1) = H[MK(i)]

You don't necessarily have to change the integrity protection key for
every message.  One thing this says is that the protocol involves an
ordered stream of messages.

> Hope this clarifies things somewhat.

It does.  You can get by without a random IV by using CBC analogously to
how you use counter modes and cipher streams in general.  The key thing
is to avoid key and IV/counter re-use.  For a protocol where ordered
delivery of messages is expected/ required this is easy to achieve.

Derive the key and/or counter/IV from a message sequence number and do
it in such a way that you either cannot repeat them or are very, very
unlikely to repeat them and you're fine.

But be careful.  Simply chaining the IV from message to message will
create problems (see SSH).

What is the concern with using random IVs/confounders anyways?  The need
for an entropy source?  If so keep in mind that a PRNG will be
sufficient for generating the IVs/confounders and that you'll generally
need some source of entropy for at least some protocol elements (e.g.,
nonces).

Nico
-- 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list