Date: Thu, 3 Mar 2005 16:51:14 -0500 From: Thor Lancelot Simon <tls@rek.tjls.com> To: tech-security@netbsd.org, hackers@freebsd.org, cryptography@metzdowd.com Subject: Re: FUD about CGD and GBDE Message-ID: <20050303215114.GA18604@panix.com> In-Reply-To: <11487.1109886334@critter.freebsd.dk> References: <Pine.NEB.4.62.0503031625170.12890@server.duh.org> <11487.1109886334@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 03, 2005 at 10:45:34PM +0100, Poul-Henning Kamp wrote: > > Since the attacker know the block number the IV generation doesn't > add strength. > > In fact expose any weakness in the algorithm even more because it > offers two-way leverage on the algorithm. > > It also adds a very efficient hit-detector for a brute force attack. > > It would have been much better to use a different key to generate the IV. > > And did he salt the block number at all ? I don't think so... I think there's a misunderstanding here. Why do you think secrecy (unpredictability?) is an important property of an IV for a block cipher used in CBC mode? It's not an encryption key, it's an IV. It just has to have a large Hamming difference from any _other_ IV used with the same cipher key. -- Thor Lancelot Simon tls@rek.tjls.com "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050303215114.GA18604>