Question w.r.t. AES-CBC IV
Steven Bellovin
smb at cs.columbia.edu
Fri Jul 9 18:58:28 EDT 2010
On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote:
> CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC mode requires IVs to be random.
>
> In either case, a problem with a short IV (no matter what you do) is the possibility of IVs repeating. If you are picking 32-bit IVs at random, you expect a repeat after only (roughly) 2^16 encryptions (which is not very many).
>
Unless I misunderstand your point, I think that in the real world there's a very real difference in the insecurity of CBC vs CTR if the IV selection is faulty. With CBC, there is semantic insecurity, in that one can tell if two messages have a common prefix if the IV is the same. Furthermore, if the IV is predictable to the adversary under certain circumstances some plaintext can be recovered.
With CTR, however, there are very devastating two-message attacks if the IVs are the same; all that's necessary is some decent knowledge of some probable plaintext.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list