| > Suppose we use AES128-CBC with a fixed IV. It's clear that the only
| > vulnerability of concern occurs when a key is reused. OK, where do
|
| No, remember that if the IV is in the clear, an attacker can
| make some controlled bit changes in the first plaintext block.
| (There has been no assumption of integrity enforcement.)
|
| I wonder how Adam Perez is communicating the IV.
In the original proposal, the IV was *fixed*: It was always 0. As a
result, it wasn't communicated, so could not be manipulated.
Integrity enforcement is required for other reasons anyway (and, based
on later responses, was always part of the protocol).
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
