More info in my AES128-CBC question
Steven M. Bellovin
smb at cs.columbia.edu
Wed May 9 17:02:44 EDT 2007
On Wed, 9 May 2007 15:35:44 -0400
Thor Lancelot Simon <tls at rek.tjls.com> wrote:
> On Wed, May 09, 2007 at 01:13:36AM -0500, Travis H. wrote:
> > On Fri, Apr 27, 2007 at 05:13:44PM -0400, Leichter, Jerry wrote:
> > > Frankly, for SSH this isn't a very plausible attack, since it's
> > > not clear how you could force chosen plaintext into an SSH
> > > session between messages. A later paper suggested that SSL is
> > > more vulnerable: A browser plugin can insert data into an SSL
> > > protected session, so might be able to cause information to leak.
> >
> > Hmm, what about IPSec? Aren't most of the cipher suites used there
> > CBC mode?
>
> ESP does not chain blocks across packets. One could produce an ESP
> implementation that did so, but there is really no good reason for
> that, and as has been widely discussed, an implementation SHOULD use
> a PRNG to generate the IV for each packet.
Mostly right. RFC 2405 stated:
Implementation note:
Common practice is to use random data for the first IV and the
last 8 octets of encrypted data from an encryption process as the
IV for the next encryption process; this logically extends the CBC
across the packets.
not as a requirement but as a hint. On the other hand, RFC 3602 says
The IV MUST be chosen at random, and MUST be
unpredictable.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list