| > Suppose we use AES128-CBC with a fixed IV.  It's clear that the only
| > vulnerability of concern occurs when a key is reused.  OK, where do
| No, remember that if the IV is in the clear, an attacker can
| make some controlled bit changes in the first plaintext block.
| (There has been no assumption of integrity enforcement.)
| I wonder how Adam Perez is communicating the IV.
In the original proposal, the IV was *fixed*:  It was always 0.  As a
result, it wasn't communicated, so could not be manipulated.

Integrity enforcement is required for other reasons anyway (and, based
on later responses, was always part of the protocol).

                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to