On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
Thus, future revisions of TLS should also take this into account.
That is, either transmit a fresh (unpredictable) IV with each msg,
or implcitly compute this IV in an *unpredictable* way, for example by
applying a prf to the msg
Thus spake Wei Dai:
I'll note that using CTR mode is more efficient than either of these
suggestions. It doesn't require unpredictable IVs.
...
Good point. If we want to fix SSH by using a per-packet unpredictable IV,
the IV would have to be added to the list of MAC inputs. I think that
On Wed, Feb 13, 2002 at 03:57:59PM +0200, Hugo Krawczyk wrote:
[...]
Thus, future revisions of TLS should also take this into account.
That is, either transmit a fresh (unpredictable) IV with each msg,
or implcitly compute this IV in an *unpredictable* way, for example by
applying a prf to
On Fri, 8 Feb 2002, Bodo Moeller wrote:
In TLS, the IV for subsequent records is the last ciphertext block
from the previous record [RFC 2246], and plaintext blocks usually
consist of raw application data followed by a MAC, so the attack
applies. (Having the MAC at the *beginning* of each
Wei Dai [EMAIL PROTECTED]:
[Posted to sci.crypt and the IETF SSH working group mailing list.]
Phil Rogaway observed that CBC mode is not secure against chosen-
plaintext attack if the IV is known or can be predicted by the attacker
before he choses his plaintext [1]. Similarly, CBC mode
