Ralph Holz <ralph-cryptometz...@ralphholz.de> writes:

>CTR mode seems a better choice here. Without getting too technical, security
>of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC
>mode requires IVs to be random.

Unfortunately CTR mode, being a stream cipher, fails completely if the
IV's/keys aren't fresh (as you could force them to be for SRTP under SIP by
attacking the crypto handshake that preceded it, a nice example of attacking
across a protocol boundary, taking advantage of a weakness in one protocol to
break a second), while CBC only becomes a bit less secure.  In addition CTR
mode fails trivially to integrity attacks, while with CBC it's often more
obvious (you get at least some total corruption before the self-healing takes

The problem with CTR is that, like RC4, it's very brittle, make a tiny mistake
anywhere and you're toast.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to