On Wed, 25 Apr 2007, Travis H. wrote: > > If the IV chained across continguous messages as in SSHv2 > > then you have a problem (see above). > > I don't fully understand what it means to have IVs chained > across contiguous (?) messages, as in CBC mode each ciphertext > block forms the "IV" of the block after it, effectively; > basically an IV is just C_0 for some stream.
The order of events is important. Consider a chosen plaintext attack: a secret message was sent other a CBC-encrypted channel. For example, it was a single block with padded "yes" or "no" and the encryption is x0||x1, where x0 is a random IV and x1 = E(x0 xor "yes"), the attacker can now submit their message to find the secret one. If the attacker knows that x1 is going to be used as the next IV, they can try to submit m = x0 xor "yes" xor x1 it will be encrypted as x2 = E(m xor x1) = E(x0 xor "yes") = x1 so if x2 = x1 the attacker knows that "yes" was sent, otherwise it was "no". If the new IV is randomly selected *after* the attacker has made his choice the attack is impossible. -- Regards, ASK --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
