On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote:
> CTR mode seems a better choice here. Without getting too technical, security
> of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC
> mode requires IVs to be random.
>
> In either case, a problem with a short IV (no matter what you do) is the
> possibility of IVs repeating. If you are picking 32-bit IVs at random, you
> expect a repeat after only (roughly) 2^16 encryptions (which is not very
> many).
>
Unless I misunderstand your point, I think that in the real world there's a
very real difference in the insecurity of CBC vs CTR if the IV selection is
faulty. With CBC, there is semantic insecurity, in that one can tell if two
messages have a common prefix if the IV is the same. Furthermore, if the IV is
predictable to the adversary under certain circumstances some plaintext can be
recovered.
With CTR, however, there are very devastating two-message attacks if the IVs
are the same; all that's necessary is some decent knowledge of some probable
plaintext.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
