On Sep 10, 2013, at 5:49 PM, "Perry E. Metzger" <pe...@piermont.com> wrote: >> Phil Rogoway has a paper somewhere discussing the right way to >> implement cryptographic modes and API's. > > It would be useful to get a URL for it. > >> In particular, he recommends changing the definition of CBC...to >> >> E_0 = E(IV) # Not transmitted >> E_{i+1} = E(E_i XOR P_{i+1}) > > You make no mention there of whether the key used to encrypt the IV > is the same as that used for the plaintext. As I recall the proposal, it was the same key. (Generating a different one for this purpose is pointless - it would have to be random, in which case you might as well generate the IV randomly.)
> I presume if you need a lot of IVs (see protocols like IPsec), and have > enough key material, a second key might be of value for that -- but I don't > know what all the ins and outs are, and would prefer to read the literature... I searched around but couldn't find it; the proposal apparently was not Rogoway's. It apparently appears in NIST 800-38A (2001), with no citation. In searching around, I came across a recent, unpublished paper by Rogoway: http://www.cs.ucdavis.edu/~rogaway/papers/modes.pdf That paper - which does detailed analyses of a large number of modes - indicates that more recent work has shown that this technique for choosing an IV is *not* secure (against a certain class of attacks) and recommends against using it. I highly recommend that paper. In fact, I highly recommend everything Rogoway has written. We've been discussing authentication and session key exchange - he and Bellare wrote about the problem in 1993 http://cseweb.ucsd.edu/users/mihir/papers/eakd.pdf giving provably secure algorithms for the 2-party case, and two years later http://www.cs.ucdavis.edu/~rogaway/papers/3pkd.pdf extending the work to the 3-party case. -- Jerry _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography