Question w.r.t. AES-CBC IV
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Jul 10 03:06:32 EDT 2010
Ralph Holz <ralph-cryptometzger at ralphholz.de> writes:
>CTR mode seems a better choice here. Without getting too technical, security
>of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC
>mode requires IVs to be random.
Unfortunately CTR mode, being a stream cipher, fails completely if the
IV's/keys aren't fresh (as you could force them to be for SRTP under SIP by
attacking the crypto handshake that preceded it, a nice example of attacking
across a protocol boundary, taking advantage of a weakness in one protocol to
break a second), while CBC only becomes a bit less secure. In addition CTR
mode fails trivially to integrity attacks, while with CBC it's often more
obvious (you get at least some total corruption before the self-healing takes
effect).
The problem with CTR is that, like RC4, it's very brittle, make a tiny mistake
anywhere and you're toast.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list