[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IVs, summary of discussion
I just had a fairly long discussion with uri@watson.ibm.com about IVs,
the need for security thereon, etc., and we managed to come to an agreement
that's worth sharing with a wider audience.
Basically, many ciphers need some sort of IV or other extra initialization
data to encrypt a message. In most cases, it is useful for these IVs
to be distinct per message. In some cases, these should be well-distributed,
while others can accept sequence numbers. Some need the IV data encrypted.
The entire issue of how much padding is added to an encrypted message
is a parameter of the cipher. I think that taking the packet size,
adding a constant, rounding up (or down) to a multiple of another
constant (which need not be a power of 2), and adding a third constant
is general enough, if either additive constant may be negative, but if
there's no particular use in standardizing that model, don't bother.
In some cases some IP sequence numbers can be used by the cipher to
avoid what would otherwise need to be an explicit IV field, so the
general secure IP standard should say what information of that nature
is available to the encryption layer, and it is the responsibility of
the encryption sub-standard to say how that information is used.
So, basically, using the IP sequence number may be great for DES-CBC,
but don't mandate it.
I'm sure Uri will correct me if I got anything wrong.
--
-Colin
Follow-Ups: