[Cryptography] Question re: Initialization Vector for AES Counter Mode…
Jon Callas
jon at callas.org
Thu Apr 27 19:01:16 EDT 2017
> On Apr 26, 2017, at 10:38 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
>
>> Zero is a great counter. It's an awful IV.
>
> is actually the exact opposite, it's an awful counter because you'll end up
> repeating the keystream, while it's merely a somewhat poor IV, you fail to
> hide the fact that two encrypted plaintext blocks start with the same data,
> which may or may not be an actual problem.
I started at your comment with confusion and realize where I miscommunicated.
I meant that zero is a good starting point for a counter, not a good increment. Obviously, with zero as an increment, it's just ECB+XOR.
>
>> OCB might be an option for you, too, but all of that's a different discussion.
>
> I'd use OCB, but then you've potentially got patent issues unless you're very
> careful about how it's used.
Yes. I'm disappointed here, because really unwinding OCB issues would make it all go away. OCB is what we all really want and everything else is an approximation of it.
Jon
More information about the cryptography
mailing list