On Mon, 20 Feb 2012, Harald Hanche-Olsen wrote:
["Kevin W. Wall" <[email protected]> (2012-02-20 07:11:52 UTC)]
So my first question: Are there ANY "combined" cipher modes
for block ciphers that do not cause the ciphers to act as a key
stream? (That seems to be cause most of the ones I found build
the confidentiality piece around CTR mode.) If "yes", please name
a few (especially those with no patent restrictions).
You can always construct a "combined" mode (also caled an "authenticated
encryption scheme") by combining a secure encryption scheme with a message
authentication code (MAC) -- applying the MAC to the ciphertext, using
independent keys. The NIST modes and others you have seen are slightly
more efficient, however.
So my second question is, if all the "combined" cipher modes all
cause a cipher to act as if it is in a streaming mode, is it okay
to just choose a completely RANDOM IV for each encryption?
I'll bite on this one, leaving the harder part of your question to the
real experts. Yes, that should be okay, PROVIDED you have access to a
good source of entropy (aka randomness). See the long, long thread on
duplicate primes in RSA moduli to get a notion of how horribly wrong
things can go if you don't.
What he said. Note also that the potential problems with IV reuse, etc.,
don't go away by choosing a non-streaming mode, anyway. But modes are
designed to be secure assuming the IVs are randmly chosen.
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
