Aleksey, Thanks for your explanation. I stand corrected on my previous statement. It was the session secret seed that is exchanged in the handshake and is used to initialize the IV. IV will be passed in for every encryption request.
Regards, --Sanjeev -----Original Message----- From: Aleksey Sanin [mailto:[EMAIL PROTECTED] Sent: Friday, July 16, 2004 4:58 PM To: Sood, Sanjeev; [EMAIL PROTECTED] Subject: Re: [xmlsec] Initialize IV for AES-CBC mode No, it does not. The purpose of IV vector is to provide "randomness" for block cipher encryption. New IV should be generated for *every* encryption operation. DES has a well known attack when >1 message is encrypted with same IV. AFAIK, it is not the case with AES but by nature of block ciphers, using same IV vector weaknesses encryption. Going back to XML Encryption. You should not worry about IVs. The IV is automatically generated by xmlsec on encryptor side, sent along with the message (as described in XML Encryption spec) and then automatically extracted from the message by xmlsec on decryptor side. The application only needs to exchange AES keys, there are no need to exchange IVs. Not that sending IV with the message is a part of XML Encryption spec. Thus not only xmlsec but any other xml encryption toolkit should be able to extract IV from the message. IMHO, "security thru obscurity" is not the best way of developing security applications. And I am not sure why you think that disclosing the protocol to me is better than doing it to the list :) Aleksey Sood, Sanjeev wrote: > I apologize for writing to you in private. I don't want to disclose our > application protocol in the message list. > > > > < The protocol description is skipped > > _______________________________________________ xmlsec mailing list [EMAIL PROTECTED] http://www.aleksey.com/mailman/listinfo/xmlsec
