[145298] in cryptography@c2.net mail archive
Re: Question w.r.t. AES-CBC IV
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Fri Jul 9 19:07:17 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <Pine.GSO.4.64.1007091352340.12960@ringding.cs.umd.edu>
Date: Fri, 9 Jul 2010 18:58:28 -0400
Cc: Ralph Holz <ralph-cryptometzger@ralphholz.de>, cryptography@metzdowd.com
To: Jonathan Katz <jkatz@cs.umd.edu>
On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote:
> CTR mode seems a better choice here. Without getting too technical, =
security of CTR mode holds as long as the IVs used are "fresh" whereas =
security of CBC mode requires IVs to be random.
>=20
> In either case, a problem with a short IV (no matter what you do) is =
the possibility of IVs repeating. If you are picking 32-bit IVs at =
random, you expect a repeat after only (roughly) 2^16 encryptions (which =
is not very many).
>=20
Unless I misunderstand your point, I think that in the real world =
there's a very real difference in the insecurity of CBC vs CTR if the IV =
selection is faulty. With CBC, there is semantic insecurity, in that =
one can tell if two messages have a common prefix if the IV is the same. =
Furthermore, if the IV is predictable to the adversary under certain =
circumstances some plaintext can be recovered.
With CTR, however, there are very devastating two-message attacks if the =
IVs are the same; all that's necessary is some decent knowledge of some =
probable plaintext. =20
--Steve Bellovin, http://www.cs.columbia.edu/~smb
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
