Subject: Re: crypto(4) and IVs
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 05/29/2005 15:40:44
In message <200505291846.OAA13705@Sparkle.Rodents.Montreal.QC.CA>, der Mouse wr
>>> In passing, I have to wonder whether you were just being careless
>>> with language when you wrote "predictable".
>> I meant "predictable by the attacker". The attacker who sees packet
>> N could predict the IV used by packet N+1.
>How is this different from seeing block B and thus knowing the IV for
>block B+1 within a packet?
>If you posit attacker control over the plaintext in packet N+1, you're
>talking the adaptive chosen plaintext threat model I mentioned. If
>not, I can't see any significant difference between this and *any* use
>of CBC modes.
Adaptive chosen plaintext is indeed a threat in some situations.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb