Re: IVs, summary of discussion

[Steve Kent <kent@BBN.COM>]

Ashar,

	The quote you cite from me is a bit out of context.  We were
discussing the use of error-propogating encryption modes as a basis
for integrity checking, perhaps using whatever error detection
facilities are already present in the transport protocol.  I suspect
the sort of integrity checks you are referring to arte ones that have
relatively high per-bye costs, e.g., a one-way hash functions.  One
might argue that a suitable encryption mode will provide enough
unpredictable error propogation as to allow existing integrityu checks
to operate in an environment that is pretty much equivalent to the
benign environment for which these integrity checks were designed.  I
gave the use of the existing TCP chceksum as an example.  This is
clearly not as effective as using a larger and more powerful integrity
check algorithm, but it might represent a reasonable compromise.  

	You have made a good point of why an application such a
broadcast packet video may be one where the use of a stream cipher is
critical for performance.  If the cipher has good error propogation
qualities, then the criteria I noted above is met.  Alternatively, if
this packet format and compression algorithm are presumed to be immune
to effective, real-time manipulation by an attacker with an ability to
modify individual bits of the underlying plaintext in a controlled
fashion, then you're OK anyway.

Steve

---

References:

• Re: IVs, summary of discussion
• From: ashar@firstperson.com (Ashar Aziz)

---

• Prev by Date: Re: IVs, summary of discussion
• Next by Date: Re: (Fwd) Authentication and encryption.
• Prev by thread: Re: IVs, summary of discussion
• Next by thread: Re: IVs, summary of discussion
• Index(es):
  • Main
  • Thread