Subject: Re: crypto(4) and IVs
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Steven M. Bellovin <email@example.com>
Date: 05/29/2005 10:27:17
In message <200505290458.AAA11770@Sparkle.Rodents.Montreal.QC.CA>, der Mouse wr
>>> I find that when I do a CIOCCRYPT, the IV is not modified. How am I
>>> supposed to get the correct IV for my next call? Do I have to go
>>> under the hood and "know" that for the cipher I'm using (3DES_CBC)
>>> it's the last block of the encrypted data (output for ENCRYPT, input
>>> for DECRYPT)? Or is there something I'm missing?
>> In fact, the interface should not do that. There are a number of
>> subtle attacks possible if the IV is predictable by the enemy; thus,
>> in things like packet-oriented crypto, you should *not* use the last
>> block of the previous message as the IV for the next message.
>I didn't say anything about packet-oriented. For many cases - such as
>encrypting a stream of data in CBC mode one bufferful at a time - you
>_do_ want that. For the cases where you don't, I can't see any harm in
>returning it (except possibly the minor inconvenience of having to keep
>a separate IV buffer around).
Fair point. I'd call it an API problem: it doesn't distinguish between
"new message" and "continue the previous message".
>In passing, I have to wonder whether you were just being careless with
>language when you wrote "predictable".
I meant "predictable by the attacker". The attacker who sees packet N
could predict the IV used by packet N+1.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb