[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf_key comments (predictable IVs)

To: bhoward@TimeStep.com, chk@border.com, URI@watson.ibm.com
Subject: pf_key comments (predictable IVs)
From: HUGO@watson.ibm.com
Date: Tue, 7 Jan 97 10:31:29 EST
cc: ipsec@tis.com
Sender: owner-ipsec@ex.tis.com

The traditional motivation for IVs is to cause two encryptions of the
same plaintext to result in two different cipheretexts.
For such a use just different (even if predicatable) IVs are enough.
However, there is more functionality built into IVs.
They are intended to randomize plaintext before encryption for a variety of
other reasons.  Especially, against chosen message attacks.

Consider, for example, an attacker that builds a table with encryptions
of the all-zero message under the 2^56 DES keys.
How does the guy gets an encryption of zero under the victim's key?
If the attcker can mount a chosen plaintext attack it could ask for the
encryption of the zero message. But if the encryptor chooses an IV before
encrypting then the attacker gets DES(K,IV) rather than DES(K,0).

On the other hand, if the IV is known to the attacker before hand (e.g., the
IV is an incrementing counter or the last block of ciphertext from the
*previous* message) then the task for the attacker is easy.
He just chooses the message to encrypt to be equal to the next IV.
The ciphertext he will see is DES(K, IV XOR IV) = DES(K,0) !

If instead, the IV is chosen *after* the plaintext is fixed (in a way which
is unpredictable to the attacker) then the attacker has little to do
to get DES(K,0).

I hope this helps in clarifying the issue of predictable vs unpredictable IVs.
In particular, IVs known *before* choosing/fixing the message to be
encrypted or *after*.

Another example from Phil Rogaway (draft-rogaway-ipsec-comments-00.txt):

 "...suppose the IV is  a sequence number: 0, 1, 2, ... .
  Then a (first) encryption of 0x0000000000000000 followed by an encryption of
   0x0000000000000001 is recognizably distinct from a (first) encryption
   of 0x0000000000000000 followed by an  encryption of
   0x0000000000000000.  Clearly this violates violates the notion of a
   secure encryption sketched in Section 2."

 [You can find the full Rogaway's draft in
  http://wwwcsif.cs.ucdavis.edu/~rogaway/papers/list.html
  A related one in the same page is:
  draft-rogaway-cbc-encrypt-00.txt (April 27, 1995)]

Hugo

Prev by Date: Re: [graydon@gabber.multinet.net: Thinkin' about identifiers...]
Next by Date: [Admin] New Editor for IPsec Base Specs
Prev by thread: Re: [graydon@gabber.multinet.net: Thinkin' about identifiers...]
Next by thread: [Admin] New Editor for IPsec Base Specs
Index(es):
- Main
- Thread