More info in my AES128-CBC question

Hagai Bar-El info at hbarel.com
Wed Apr 25 10:20:30 EDT 2007 

Hello Nico,

On 25/04/07 02:18, Nicolas Williams wrote:
> If there isn't a good reason for rejecting what I suggest then one might
> worry that changing the integrity key on every message (but not the
> confidentiality key?) is something that a non-expert might do and that
> there may be other problems with this protocol.  Much experience has
> been gained with other protocols in these areas; do leverage it.

Is there anything wrong with changing the integrity key every message as
means for preventing cut-and-paste attacks between messages or against
taking messages out of their order? It may not be the most efficient
way; adding a message counter to the HMAC does make more sense, but is
there a problem with the way Aram uses now? (I don't see any.)

>>> But be careful.  Simply chaining the IV from message to message will
>>> create problems (see SSH).

What problem does this (chaining IV from message to message) introduce
in our case?

>> The intention would be a new IV with each message begin sent.

> As long as it doesn't repeat.  Also, if it's not random then make that
> IV the first block of plaintext (with a fixed IV) -- that is, use a
> confounder, and make sure it doesn't repeat.

It seems as Aram uses a different IV for each message encrypted with
CBC. I am not sure I see a requirement for randomness here. As far as I
can tell, this IV can be a simple index number or something as
predictable, as long as it does not repeat within the same key scope.

> A legitimate response w.r.t. confounders might be "but that wastes a
> cipher block's worth of bits on the wire," which it certainly does, and
> if you're really hard pressed for bandwidth and use mostly small
> messages then you'd mind the confounder.  But I see no reason not to use
> a random or pseudo-random IV -- a device that can do crypto can and
> should have a decent PRNG (and a true, if low-bandwidth RNG to seed it).

I don't understand the difference between a confounder and an IV in
terms of bits on the wire. After all, in both cases the confounder or IV
need to be passed to the other side, unless they are implicitly known.

Hagai.


-- 
Hagai Bar-El - Information Security Analyst
T/F: 972-8-9354152 Web: www.hbarel.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list