Some of the messages in this stream have demonstrated why it can be
difficult to get non-crypto people to listen to advice from crypto
experts:  Cryptography research is, by its nature, a pretty absolute
thing.  We find attacks, we try to eliminate them.  There's a strong
tendency to view *any* attack as significant, so *any* use of a
technique "known to be weak" is frowned on.

However, the issue isn't cryptography, it's security; and security
is a cost/benefit tradeoff.  Some of the other messages in this
thread have already made that point, by looking at some of the
specific tradeoffs that have to be made (usability, efficiency,
time to market, etc.)  However, in this particular case, one can
even analyze the threat quite directly.

Suppose we use AES128-CBC with a fixed IV.  It's clear that the only
vulnerability of concern occurs when a key is reused.  OK, where do
the keys come from?  We're told that they are session keys.  Assuming
that these are generated *correctly* - they are effectively random
independent variables - then you'd need to see 2^64 sessions to get
a 50% chance of a repeated key.  Note:  Note 2^64 *blocks* - something
you might actually get in a reasonable amount of time on the fastest
links - but 2^64 *sessions*.  Is that within the realm of interest
for this protocol?  Maybe, maybe not.  (Most likely not.)

A decent protocol will have authentication and some kind of anti-replay
mechanism.  Even if someone gets hold of two sessions that used the
same key, the authentication mechanism will block attempts to
merge data from the two sessions.  Alternatively, any anti-replay
mechanism will require carrying a nonce of some sort in the stream.
Realistically, this will be sent very early in the session, pretty
much ensuring that even with common keys and a common IV, there will
be little common data.  In fact, a practical recommendation might be
to put the nonce in the first block, in which case it ends up playing
the role of an IV and the whole discussion disappears.

In summary:  Yes, ideally one uses a random IV.  In practice, what this
adds - in many common protocol styles - is robustness of a sort, not
real additional security.  (However, actual robustness of cryptosystems -
robustness against all the common kinds of errors that people make in
design, implementation, fielding, and use - doesn't appear to be within
reach of current techniques.)  If possible, it's certainly better to use
the best practices known - and random or nonce IV's are among those - 
but getting defensive about how "no one is listening to the crypto
experts" is not appropriate here.  Save that for the really egregious
mistakes - of which there are plenty.
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to