S 2. > This document does not consider AES-CBC ([RFC3602])as AES-CBC >> requires the IV to be unpredictable. Deriving it directly from the >> packet counter as described below is insecure. >> >> Can you provide a cite for this? >> >> >> Even RFC 3602 requires that the IV be randomly generated (and for good >> measure requires that it be unpredictable) >> > > That's just a cite to a requirement, not to it being insecure. Do you have > a citation to the relevant threat? >
Predictable IV can be exploited by chosen plain text attacks. RFC3602 cites [CRYPTO-B] in teh sceurity consideration section: """ For more information regarding the necessary use of random IV values, see [CRYPTO-B <https://tools.ietf.org/html/rfc3602#ref-CRYPTO-B>]. """ with : [CRYPTO-B] Bellovin, S., "Probable Plaintext Cryptanalysis of the IP Security Protocols", Proceedings of the Symposium on Network and Distributed System Security, San Diego, CA, pp. 155-160, February 1997. http://www.research.att.com/~smb/papers/probtxt.pdf This links works: https://www.cs.columbia.edu/~smb/papers/probtxt.pdf
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
