On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote: > No, there will be message integrity. For those of you asking, here's > a high level overview of the protocol is as follows:
> [...] > 3) Data needing confidentiality is encrypted with the SK in the mode > selected in step 1. The message is integrity protected with MK. A new > MK is generated after a message is sent using MK(i+1) = H[MK(i)] You don't necessarily have to change the integrity protection key for every message. One thing this says is that the protocol involves an ordered stream of messages. > Hope this clarifies things somewhat. It does. You can get by without a random IV by using CBC analogously to how you use counter modes and cipher streams in general. The key thing is to avoid key and IV/counter re-use. For a protocol where ordered delivery of messages is expected/ required this is easy to achieve. Derive the key and/or counter/IV from a message sequence number and do it in such a way that you either cannot repeat them or are very, very unlikely to repeat them and you're fine. But be careful. Simply chaining the IV from message to message will create problems (see SSH). What is the concern with using random IVs/confounders anyways? The need for an entropy source? If so keep in mind that a PRNG will be sufficient for generating the IVs/confounders and that you'll generally need some source of entropy for at least some protocol elements (e.g., nonces). Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
