On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote: > Thus, future revisions of TLS should also take this into account. > That is, either transmit a fresh (unpredictable) IV with each msg, > or implcitly compute this IV in an *unpredictable* way, for example by > applying a prf to the msg counter.
I'll note that using CTR mode is more efficient than either of these suggestions. It doesn't require unpredictable IVs. > PS: since Wei Dai mentioned the case of SSH in this context, the bad news > there is that even using CBC and fixing the problem of predictable IV > leaves the protocol open to the attacks on authenticate-and-mac > showed in my paper (e.g. the attack in appendix C) Good point. If we want to fix SSH by using a per-packet unpredictable IV, the IV would have to be added to the list of MAC inputs. I think that would prevent the attack in appendix C. I'm not very familiar with how IETF working groups work, so what's the next step here? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]