[145302] in cryptography@c2.net mail archive
Re: Question w.r.t. AES-CBC IV
daemon@ATHENA.MIT.EDU (Peter Gutmann (alt))
Sat Jul 10 13:26:21 2010
In-Reply-To: <Pine.GSO.4.64.1007091352340.12960@ringding.cs.umd.edu>
Date: Sat, 10 Jul 2010 19:09:18 +1200
From: "Peter Gutmann (alt)" <pgut001.reflector@gmail.com>
To: Jonathan Katz <jkatz@cs.umd.edu>
Cc: Ralph Holz <ralph-cryptometzger@ralphholz.de>, cryptography@metzdowd.com
Ralph Holz <ralph-cryptometzger@ralphholz.de> writes:
>CTR mode seems a better choice here. Without getting too technical, security
>of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC
>mode requires IVs to be random.
Unfortunately CTR mode, being a stream cipher, fails completely if the
IV's/keys aren't fresh (as you could force them to be for SRTP under SIP by
attacking the crypto handshake that preceded it, a nice example of attacking
across a protocol boundary, taking advantage of a weakness in one protocol to
break a second), while CBC only becomes a bit less secure. In addition CTR
mode fails trivially to integrity attacks, while with CBC it's often more
obvious (you get at least some total corruption before the self-healing takes
effect).
The problem with CTR is that, like RC4, it's very brittle, make a tiny mistake
anywhere and you're toast.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
