More info in my AES128-CBC question

Alexander Klimov alserkli at inbox.ru
Thu Apr 26 09:14:34 EDT 2007


On Wed, 25 Apr 2007, Travis H. wrote:
> > If the IV chained across continguous messages as in SSHv2
> > then you have a problem (see above).
>
> I don't fully understand what it means to have IVs chained
> across contiguous (?) messages, as in CBC mode each ciphertext
> block forms the "IV" of the block after it, effectively;
> basically an IV is just C_0 for some stream.

The order of events is important. Consider a chosen plaintext
attack: a secret message was sent other a CBC-encrypted channel.
For example, it was a single block with padded "yes" or "no" and
the encryption is x0||x1, where x0 is a random IV and

  x1 = E(x0 xor "yes"),

the attacker can now submit their message to find the secret
one. If the attacker knows that x1 is going to be used as the
next IV, they can try to submit

  m = x0 xor "yes" xor x1

it will be encrypted as

  x2 = E(m xor x1) = E(x0 xor "yes") = x1

so if x2 = x1 the attacker knows that "yes" was sent, otherwise
it was "no".

If the new IV is randomly selected *after* the attacker has made
his choice the attack is impossible.

-- 
Regards,
ASK

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list