Thus spake Wei Dai:
> I'll note that using CTR mode is more efficient than either of these
> suggestions. It doesn't require unpredictable IVs.
...
> Good point. If we want to fix SSH by using a per-packet unpredictable IV,
> the IV would have to be added to the list of MAC inputs. I think that
>
On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
> Thus, future revisions of TLS should also take this into account.
> That is, either transmit a fresh (unpredictable) IV with each msg,
> or implcitly compute this IV in an *unpredictable* way, for example by
> applying a prf to the
On Fri, 8 Feb 2002, Bodo Moeller wrote:
> In TLS, the "IV for subsequent records is the last ciphertext block
> from the previous record" [RFC 2246], and plaintext blocks usually
> consist of raw application data followed by a MAC, so the attack
> applies. (Having the MAC at the *beginning* of
On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
[...]
> Thus, future revisions of TLS should also take this into account.
> That is, either transmit a fresh (unpredictable) IV with each msg,
> or implcitly compute this IV in an *unpredictable* way, for example by
> applying a prf
Wei Dai <[EMAIL PROTECTED]>:
>> [Posted to sci.crypt and the IETF SSH working group mailing list.]
>>
>> Phil Rogaway observed that CBC mode is not secure against chosen-
>> plaintext attack if the IV is known or can be predicted by the attacker
>> before he choses his plaintext [1]. Similarly,
