[responding to old mail]
> >        3. cryptographically strong generator for cases where you need
> >           it, such as CBC IVs.
> 
> Why do you need a cryptographically strong generator for IVs?  They're
> sent in the clear anyway.

CBC's IV's need to be unpredictable to avoid the recently discovered
CBC "oracle" attack.

recall that in CBC mode, the basic transformation is to divide
plaintext up into blocks P[1]...P[n] and then compute:

	C[n] = block-cipher(key, P[n] XOR C[n-1] )

C[0] is the "initialization vector".

Assume the attacker believes that P'[i] was the plaintext for C[i],
and is able to inject P[j] after seeing C[j-1].

Knowing C[i-1] and C[j-1], the attacker computes

	P[j] = P'[i] XOR C[i-1] XOR C[j-1]

and injects the chosen plaintext.

the victim computes:

	C[j] = block-cipher(key, P[j] XOR C[j-1])

aka:

	C[j] = block-cipher(key, P'[i] XOR C[i-1] XOR C[j-1] XOR C[j-1])

aka:

	C[j] = block-cipher(key, P'[i] XOR C[i-1])

and if P'[i] == P[i], we have:

	C[j] = C[i]

i.e., you see the same cipherblock pop out the other end.

						- Bill