tech-crypto archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: crypto(4) and IVs



In message <200505290104.VAA22460%Sparkle.Rodents.Montreal.QC.CA@localhost>, 
der Mouse wr
ites:
>I've been trying to do useful things with crypto(4) - or more
>precisely, trying to write code to pound on it in the hope of figuring
>out why I'm seeing certain errors when talking to a machine with a
>crypto accelerator in it.
>
>I find that when I do a CIOCCRYPT, the IV is not modified.  How am I
>supposed to get the correct IV for my next call?  Do I have to go under
>the hood and "know" that for the cipher I'm using (3DES_CBC) it's the
>last block of the encrypted data (output for ENCRYPT, input for
>DECRYPT)?  Or is there something I'm missing?
>

In fact, the interface should not do that.  There are a number of 
subtle attacks possible if the IV is predictable by the enemy; thus, in 
things like packet-oriented crypto, you should *not* use the last block 
of the previous message as the IV for the next message.  (Yes, I know 
that RFC 2405 suggests that.  It's wrong.)


                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb





Home | Main Index | Thread Index | Old Index