Marc Mutz wrote:
>> There are some who believe that "not unique" IVs (across multiple
>> filesystems) facilitates some methods of cryptanalysis.
>
>Do you have a paper reference?
There's no paper, because it's too trivial to appear in a paper.
But you can find this weakness described in any good crypto textbook.
See, e.g., Bruce Schneier's _Applied Cryptography_; the section on
CBC mode says that IV's must not repeat. (However, it does get one
thing wrong: it claims that it's ok to use a serial number for your
IV. This is not correct, and I can give a reference for this latter,
subtler point, if you like.)
>As CTR mode _requires_ unique IVs (CBC does not),
Sorry, that turns out not to be the case. Both CBC and CTR mode
require unique IV's (for security).
>the upper half of the
>IV could be initialized from the key
It's a bad idea to include key material in your IV. (Kerberos did
it, and there were some attacks as a result.) I recommend against it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:27 EST