Subject: Re: crypto(4) and IVs
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Steven M. Bellovin <>
List: tech-crypto
Date: 05/29/2005 00:05:46
In message <200505290104.VAA22460@Sparkle.Rodents.Montreal.QC.CA>, der Mouse wr
>I've been trying to do useful things with crypto(4) - or more
>precisely, trying to write code to pound on it in the hope of figuring
>out why I'm seeing certain errors when talking to a machine with a
>crypto accelerator in it.
>I find that when I do a CIOCCRYPT, the IV is not modified.  How am I
>supposed to get the correct IV for my next call?  Do I have to go under
>the hood and "know" that for the cipher I'm using (3DES_CBC) it's the
>last block of the encrypted data (output for ENCRYPT, input for
>DECRYPT)?  Or is there something I'm missing?

In fact, the interface should not do that.  There are a number of 
subtle attacks possible if the IV is predictable by the enemy; thus, in 
things like packet-oriented crypto, you should *not* use the last block 
of the previous message as the IV for the next message.  (Yes, I know 
that RFC 2405 suggests that.  It's wrong.)

		--Steven M. Bellovin,