[Cryptography] Killing two IV related birds with one stone

Yaron Sheffer yaronf.ietf at gmail.com
Thu Sep 12 10:41:56 EDT 2013

On 09/12/2013 03:15 AM, Perry E. Metzger wrote:
> On Wed, 11 Sep 2013 20:01:28 -0400 Jerry Leichter <leichter at lrw.com>
> wrote:
>>> ...Note that if you still transmit the IVs, a misimplemented
>>> client could still interoperate with a malicious counterparty
>>> that did not use the enforced method for IV calculation. If you
>>> don't transmit the IVs at all but calculate them, the system will
>>> not interoperate if the implicit IVs aren't calculated the same
>>> way by both sides, thus ensuring that the covert channel is
>>> closed.

IMO going through hoops to try to avoid covert channels is not worth our 
time. Both IPsec and TLS have a huge capacity for covert channels at the 
handshake (or key exchange) level, certainly enough to leak the 
*previous* session state. So plugging the per-record (per packet) holes 
is not interesting.

These are living protocols, and extensions create an infinite amount of 
redundancy. If you try to eliminate covert channels you need to freeze 
the protocol and engineer it specifically for that purpose. This may be 
right for a project like Tor, but not for a general purpose protocol.


More information about the cryptography mailing list