[Cryptography] Question re: Initialization Vector for AES Counter Mode…
Jon Callas
jon at callas.org
Thu Apr 27 01:35:39 EDT 2017
> On Apr 26, 2017, at 8:23 PM, John Denker via cryptography <cryptography at metzdowd.com> wrote:
>
> On 04/26/2017 03:28 PM, Jon Callas wrote:
>
>> Personally, I would recommend that you *not* use counter mode or
>> anything resembling it for writing files.
>
> I agree with that 100%.
Thank you.
>
> A cipher "mode" is a kludge that kinda maybe sorta allows people
> to survive in situations where they can't (or won't) re-key ...
> but you should always ask yourself, why not just re-key? If
> your cipher cannot be efficiently or securely re-keyed, maybe
> you need a better cipher.
>
> Constructive suggestion: Use something like ChaCha20, which
> is designed to do a good job with file encryption (and a lot
> of other things). It has an enormous keyspace, and can be
> re-keyed efficiently. Construct the key from at least:
> -- The master key.
> -- The block number.
> -- A sequence number, depending on how many times the
> block has been rewritten. (This allows random access,
> as well as rewriting the whole file from the beginning.)
Well, ChaCha20 is a stream cipher. Everything I (and Jerry, thanks, Jerry!) said about stream ciphers applies to ChaCha as well.
If you want to do block-oriented work, what you want is a *tweakable* cipher.
Tweaks are a generalization of an IV/counter/nonce where you have complete security even if the tweak is under attacker control.
XTS mode is a tweakable mode for an AES-like cipher. It's great for things like disk blocks.
AEZ is an amazing tweakable construction from Rogaway and others, and has great promise.
In shameless self-promotion, Threefish is a tweakable cipher that comes in either 512 or 1024-bit variants.
>
>> Counter mode creates a stream cipher.
>
> Right.
>
>> it's like leaving a rake in the yard with the tines up.
>
> Good analogy.
Thank you!
Jon
More information about the cryptography
mailing list