-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 11/20/18 14:02, Christopher Schultz wrote: > All, > > On 11/20/18 13:46, Christopher Schultz wrote: >> All, > >> I'd like a sanity-check on something I've done for the >> EncryptIntercepto r. > >> I'm using CBC mode because any other mode makes no sense. Using >> ECB mode isn't evasive enough and the more elaborate ones >> require that both sides (encrypt/decrypt) agree on the IVs being >> used. Setting both encryption key /and/ IV for the interceptor >> isn't convenient and is likely to cause people to make stupid >> decisions. > >> So I'm using a random IV and using the IV as the first block >> being sent from any sender to the receivers. This prevents >> known-ciphertext analysis if the attacker can see the encrypted >> stream: the IV is random so it's difficult to learn anything >> from the encrypted stream. > >> However, after a single message is sent, the Cipher object is >> returned to its original state and the same IV is used over and >> over again. Key + IV should generally not be re-used together. > >> Right now, the encrypted message looks like this: > >> block_encrypt(IV) + block_encrypt(message_block[0]) + >> block_encrypt(message_block[1]) ... > >> Encrypting the IV allows the receiver to get an initial encrypted >> block that it doesn't care about. It discards the block and then >> message_block[0] can be decrypted with the correct IV (computed >> from the previous ciphertext block, NOT the previous plaintext >> block -- that's how CBC works) and so on. > >> But the IV re-use is bothering me. I think we should change it >> to: > >> IV + block_encrypt(message_block[0]) + >> block_encrypt(message_block[1]) . .. > > >> The sender will need to generate a new IV *for every message*. > >> Then the receiver instead of ignoring the first block will read >> it as an IV which is used to seed the decryption cipher. > >> I believe this will improve the security of the messages being >> sent, but I'd prefer a few second-opinions. > > An alternative is to send a nonce as the first block, rather than > sending the IV itself. This may yield better performance than > re-initializing the Cipher object each time with a new IV. Following-up on this, I believe I have corrected all of the issues raised above except for replay attacks. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlv8l18ACgkQHPApP6U8 pFjufQ//RVHyRj5NKs5H6zFyzcLqwhqiPOtLpeLdV/VDHLwmzuGiTnZOyqUCzEYU 0Js8elWNqEEJABOBVUhw3wI4Qn+bPNsIfwqVQfOJ+hGEZEwwFv+NCP3/d6jC5AnJ T8APixHCWSKus9SM18EH5Ss04vgimVQN2TmTeueEjjkTS0YyegSbA1tkt3Tr/QKA 5BmLtQ/Sp/AgfXGhTi2yS60nCjPawadozuCrNEc5irE5NycAybz0zMZO1jJqAtez QNfuJ3s+2+cbGxA1xUZW8btxY/RxGq0MaFC1cqPPRABS+WwhtZRznopwpHsV6+2p zo9bM6M1XW0bZP5CaebcjIHgth1tqGpmkuYUjN1ovfDiYiPMIB6cnHJmX7Ze54FE D2bEK482tB8PuljO8A6QFVNMPkCv7RNLDNR3oAl/cC7+o70ho2j5kz4/P8Sjwv5S SsgoiZIdn5MWp4geRehBWxACemjWYL71e/zjUsSBWHYZ9nhHGWirbO59jPzoTDk5 97uj38pFYpLmBtzYaabQqQdmdO60UtZ2VmR/OoNrKM4m3KwyVK47bXYVTv1EtdFp f8etrkS6Mj7zmyHpMZ3HmjXYHUQtMVvWoBjwJtOXt1xnMFpbw1auloqWzUypXIYa BwMK7lnpb5vyLxp7ltqPvmz74x+pxkFJ9v+A2b3bk34QeU+WhHw= =/jrv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org