Subject: Re: crypto(4) and IVs
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-crypto
Date: 05/29/2005 10:27:17
In message <200505290458.AAA11770@Sparkle.Rodents.Montreal.QC.CA>, der Mouse wr
ites:
>>> I find that when I do a CIOCCRYPT, the IV is not modified.  How am I
>>> supposed to get the correct IV for my next call?  Do I have to go
>>> under the hood and "know" that for the cipher I'm using (3DES_CBC)
>>> it's the last block of the encrypted data (output for ENCRYPT, input
>>> for DECRYPT)?  Or is there something I'm missing?
>> In fact, the interface should not do that.  There are a number of
>> subtle attacks possible if the IV is predictable by the enemy; thus,
>> in things like packet-oriented crypto, you should *not* use the last
>> block of the previous message as the IV for the next message.
>
>I didn't say anything about packet-oriented.  For many cases - such as
>encrypting a stream of data in CBC mode one bufferful at a time - you
>_do_ want that.  For the cases where you don't, I can't see any harm in
>returning it (except possibly the minor inconvenience of having to keep
>a separate IV buffer around).

Fair point.  I'd call it an API problem: it doesn't distinguish between 
"new message" and "continue the previous message".
>
>
>In passing, I have to wonder whether you were just being careless with
>language when you wrote "predictable".

I meant "predictable by the attacker".  The attacker who sees packet N 
could predict the IV used by packet N+1.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb