Hi Nico,

On Apr 23, 2007, at 8:11 AM, Nicolas Williams wrote:

On Sun, Apr 22, 2007 at 05:59:54PM -0700, Aram Perez wrote:
No, there will be message integrity. For those of you asking, here's
a high level overview of the protocol is as follows:

[...]

3) Data needing confidentiality is encrypted with the SK in the mode
selected in step 1. The message is integrity protected with MK. A new
MK is generated after a message is sent using MK(i+1) = H[MK(i)]

You don't necessarily have to change the integrity protection key for
every message.  One thing this says is that the protocol involves an
ordered stream of messages.

You need to change the integrity key if you want to prevent replay attacks.

No, the message do not have to be ordered in any fashion. And in fact, an attacker would not send the messages in the correct order.


Hope this clarifies things somewhat.

It does. You can get by without a random IV by using CBC analogously to how you use counter modes and cipher streams in general. The key thing
is to avoid key and IV/counter re-use.  For a protocol where ordered
delivery of messages is expected/ required this is easy to achieve.

Derive the key and/or counter/IV from a message sequence number and do
it in such a way that you either cannot repeat them or are very, very
unlikely to repeat them and you're fine.

But be careful.  Simply chaining the IV from message to message will
create problems (see SSH).

The intention would be a new IV with each message begin sent.

What is the concern with using random IVs/confounders anyways? The need
for an entropy source?  If so keep in mind that a PRNG will be
sufficient for generating the IVs/confounders and that you'll generally
need some source of entropy for at least some protocol elements (e.g.,
nonces).

The concern was that "that's the way SD cards do it today". Another response was "you haven't heard of anyone breaking SD cards have you?"

Thanks,
Aram


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to