More info in my AES128-CBC question
Leichter, Jerry
leichter_jerrold at emc.com
Wed May 9 18:04:20 EDT 2007
| > > Frankly, for SSH this isn't a very plausible attack, since it's not
| > > clear how you could force chosen plaintext into an SSH session between
| > > messages. A later paper suggested that SSL is more vulnerable:
| > > A browser plugin can insert data into an SSL protected session, so
| > > might be able to cause information to leak.
| >
| > Hmm, what about IPSec? Aren't most of the cipher suites used there
| > CBC mode?
|
| ESP does not chain blocks across packets. One could produce an ESP
| implementation that did so, but there is really no good reason for
| that, and as has been widely discussed, an implementation SHOULD use
| a PRNG to generate the IV for each packet.
I hope it's a cryptographically secure PRNG. The attack doesn't require
any particular IV, just one known to an attacker ahead of time.
However, cryptographically secure RNG's are typically just as expensive
as doing a block encryption. So why not just encrypt the IV once with
the session key before using it? (This is the equivalent of pre-pending
a block of all 0's to each packet.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list