[Cryptography] Question re: Initialization Vector for AES Counter Mode…

Peter Gutmann pgut001 at cs.auckland.ac.nz
Thu Apr 27 01:38:48 EDT 2017


Jon Callas <jon at callas.org> writes:

>Personally, I would recommend that you *not* use counter mode or anything 
>resembling it for writing files. 

+1.  CTR mode, and anything built from it, is way too brittle to be used 
safely, especially when there are far more robust modes available.

>When you're using counter mode, it doesn't matter what the counter is. 

Unless you're being rather oblique here and I'm missing something, I can't 
see how you could say the value doesn't matter.  If you're encrypting a 
bunch of files (and the OP did say "files", not just one file) and you reuse 
the counter value across any of them, you're back to the problems you 
described earlier in your post.  So:

>Zero is a great counter. It's an awful IV. 

is actually the exact opposite, it's an awful counter because you'll end up 
repeating the keystream, while it's merely a somewhat poor IV, you fail to 
hide the fact that two encrypted plaintext blocks start with the same data, 
which may or may not be an actual problem.

>OCB might be an option for you, too, but all of that's a different discussion.

I'd use OCB, but then you've potentially got patent issues unless you're very
careful about how it's used.

Peter.


More information about the cryptography mailing list