[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IVs, summary of discussion



Phil,

	In principle, I agree with your observations, i.e., encryption
need not confer authentication nor even be designed to support
authentication.  The two are separable services (confidentiality and
integrity, really, with authentication a side effect of key management
for integrity).  However, I do worry about users who don't appreciate
the difference selecting encryption only (because of a performance
concern) and being vulnerable to attacks that they didn't understand.

	Authentication/integrity imposes a bandwidth burden in terms
of redundant information, and the computational burden of copmuting a
very good integrity check value is also a valid concern.  One tradeoff
is that one can use a simplier integrity check value, maybe one that
is already in place such as the TCP checksum, with an encryption mode
that has very good error extension, like CBC, to avoid the
computational burden and to avoid adding additional, redundant
information.  This is the approach I proposed in the early 80s when I
was trying to add security to the Internet protocols.  It is not as
secure as an explicit integrity check such as MD5, but it doesn't take
up any more space nor does it require extra computation for the
integrity check.  The primary downside, relative to use of OFB, is an
inability to precompute key stream for XORing with the data.  However,
the default level of integrity provided (but checked at a higher layer)
is not bad.

Steve



Follow-Ups: References: