[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CBC makes Implementations too Slow.
At 3:57 PM -0600 11/28/01, Michael Cyr wrote:
>On Tue, 30 Oct 2001, Steven M. Bellovin wrote:
>
>> CBC mode requires
>> feedback, which makes it impossible to pipeline encryptions; you can't
>> encrypt plaintext block P[n+1] until you have the ciphertext from
>> encrypting P[n].
>
>I know this discussion was a while ago, but I have a question related to
>the problem. First, let me say that I'm new to the list, and still
>somewhat new to IPsec in general, so I hope you'll forgive any ignorance
>on my part.
>
>Would it be a complete violation of the protocol to use random data for
>the IV data instead of a portion of the ciphertext of the previous
>block? I know this violates the spirit of cipher block _chaining_, but
>it would seem to address the concern that CBC was meant to fix, which is
>to ensure that if the same cleartext is encrypted twice, it doesn't
>produce the same ciphertext. Anyone have a definitive answer on this?
>
>Thanks,
>
>----------------------------------------------------------------------
>Michael Cyr | Phone 512-838-2943 |mikecyr@austin.ibm.com .. Email
>AIX IP Security | Tie-Line 678-2943 |
>Austin, TX | FAX 512-838-3509 |-------------------------------
Michael,
It's OK to generate a new random or pseudo-random IV for each packet.
The suggestion of using a residual ciphertext from a previously
encrypted packet should not be taken as a requirement, and might even
be viewed as less than ideal from a strict crypto protocol
perspective. If you use a separate IV for each block, that would be a
different mode entirely, and, unless the IV sequence is
deterministic, the overhead would be unacceptable. I suggest you
stick to standard modes.
Steve
Follow-Ups:
References: