| > > Frankly, for SSH this isn't a very plausible attack, since it's not | > > clear how you could force chosen plaintext into an SSH session between | > > messages. A later paper suggested that SSL is more vulnerable: | > > A browser plugin can insert data into an SSL protected session, so | > > might be able to cause information to leak. | > | > Hmm, what about IPSec? Aren't most of the cipher suites used there | > CBC mode? | | ESP does not chain blocks across packets. One could produce an ESP | implementation that did so, but there is really no good reason for | that, and as has been widely discussed, an implementation SHOULD use | a PRNG to generate the IV for each packet. I hope it's a cryptographically secure PRNG. The attack doesn't require any particular IV, just one known to an attacker ahead of time.
However, cryptographically secure RNG's are typically just as expensive as doing a block encryption. So why not just encrypt the IV once with the session key before using it? (This is the equivalent of pre-pending a block of all 0's to each packet.) -- Jerry --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]