Re: IVs, summary of discussion

[Phil Karn <karn@qualcomm.com>]

There is a basic question here: how much are we willing to rely on
encryption algorithms to also provide authentication, vs using
separate mechanisms designed specifically for the purpose?

Any authentication scheme requires redundancy (i.e., overhead) to
work.  Different users are likely to make different overhead/security
tradeoffs depending on their particular threats and the cost of the
added overhead.

So how about if we state that authentication is specifically *not* a
requirement of an encryption algorithm? This is not to say that we
can't provide a little integrity checking as long as it's "free",
e.g., by making consistency checks on padding information required by
various block chaining schemes. But I see no reason to disallow some
particular encryption scheme just because its ciphertext is more
vulnerable to modification than some other scheme. If integrity is a
requirement, then use a scheme like keyed MD5 that is specifically
designed for that purpose.

Phil

---

Follow-Ups:

• Re: IVs, summary of discussion
• From: "Perry E. Metzger" <perry@imsi.com>
• Re: IVs, summary of discussion
• From: Stephen D Crocker <crocker@tis.com>
• Re: IVs, summary of discussion
• From: Hilarie Orman <ho@cs.arizona.edu>
• Re: IVs, summary of discussion
• From: Steve Kent <kent@BBN.COM>
• Re: IVs, summary of discussion
• From: uri@watson.ibm.com

References:

• Re: IVs, summary of discussion
• From: Steve Kent <kent@BBN.COM>

---

• Prev by Date: Re: IVs and IDENTs
• Next by Date: Re: IVs and IDENTs
• Prev by thread: Re: IVs, summary of discussion
• Next by thread: Re: IVs, summary of discussion
• Index(es):
  • Main
  • Thread