Subject: Re: crypto(4) and IVs
To: None <tech-crypto@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 05/29/2005 14:43:34
>> In passing, I have to wonder whether you were just being careless
>> with language when you wrote "predictable".
> I meant "predictable by the attacker". The attacker who sees packet
> N could predict the IV used by packet N+1.
How is this different from seeing block B and thus knowing the IV for
block B+1 within a packet?
If you posit attacker control over the plaintext in packet N+1, you're
talking the adaptive chosen plaintext threat model I mentioned. If
not, I can't see any significant difference between this and *any* use
of CBC modes.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML firstname.lastname@example.org
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B