More info in my AES128-CBC question

Aram Perez aramperez at mac.com
Mon Apr 23 14:23:54 EDT 2007 

Hi Nico,

On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote:

> On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote:
>> No, there will be message integrity. For those of you asking, here's
>> a high level overview of the protocol is as follows:
>
>> [...]
>
>> 3) Data needing confidentiality is encrypted with the SK in the mode
>> selected in step 1. The message is integrity protected with MK. A new
>> MK is generated after a message is sent using MK(i+1) = H[MK(i)]
>
> You don't necessarily have to change the integrity protection key for
> every message.  One thing this says is that the protocol involves an
> ordered stream of messages.

You need to change the integrity key if you want to prevent replay  
attacks.

No, the message do not have to be ordered in any fashion. And in  
fact, an attacker would not send the messages in the correct order.

>
>> Hope this clarifies things somewhat.
>
> It does.  You can get by without a random IV by using CBC  
> analogously to
> how you use counter modes and cipher streams in general.  The key  
> thing
> is to avoid key and IV/counter re-use.  For a protocol where ordered
> delivery of messages is expected/ required this is easy to achieve.
>
> Derive the key and/or counter/IV from a message sequence number and do
> it in such a way that you either cannot repeat them or are very, very
> unlikely to repeat them and you're fine.
>
> But be careful.  Simply chaining the IV from message to message will
> create problems (see SSH).

The intention would be a new IV with each message begin sent.

> What is the concern with using random IVs/confounders anyways?  The  
> need
> for an entropy source?  If so keep in mind that a PRNG will be
> sufficient for generating the IVs/confounders and that you'll  
> generally
> need some source of entropy for at least some protocol elements (e.g.,
> nonces).

The concern was that "that's the way SD cards do it today". Another  
response was "you haven't heard of anyone breaking SD cards have you?"

Thanks,
Aram


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list