> <snip>
> > > IV generation is what I am worried about.
> > > There is a paper about why it is a bad idea to use
> > > sequence numbers for CBC IV's. I just have to find the reference to it.
> > Does this mean sequence as in 0,1,2,3,4 ... or does this mean
> > any pre-calculate-able sequence ? In the former case we might just use
> > a simple one way hash-function over the requested sector number.
> >
>
> I guess it means 0,1,2,3,4..., but you might want to check
> http://www.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt
Ok, I read it and here is the paragraph, which refers to IVs:
-------------snip-------------------------------------------------------
RECOMMENDATION 10: Each transform should fully specify one partic-
ular function (though this function may be probabilistic or state-
ful). For example, if one has a mechanism like DES-CBC, one must
specify how the initialization vector is to be selected.
The reason for this recommendation is experience that indicates that
if a transform is not completely specified, implementors will not
know how to finish the "missing pieces" in a way that is cryptograph-
ically correct. As an example, it is not true that CBC encryption
can use an arbitrary nonce initialization vector: it is essential
that the IV be unpredictable by the adversary. (To see this, suppose
the IV is a sequence number: 0, 1, 2, ... . Then a (first) encryp-
tion of 0x0000000000000000 followed by an encryption of
0x0000000000000001 is recognizably distinct from a (first) encryption
of 0x0000000000000000 followed by an encryption of
0x0000000000000000. Clearly this violates violates the notion of a
secure encryption sketched in Section 2.)
-------------snip-------------------------------------------------------
So I think what is written in "Applied Cryptography" (by Bruce Schneier)
is correct. A sequence is ok, as long as you can't predict the start
of the sequence.
The key sentence in the above statement is:
"It is essential that the IV be unpredictable by the adversary"
If I understand this correctly it means that you CAN use a
simple increasing sequence, as long as you make sure that the
start value of the sequence is unknown.
A simple implementation (which doesn't affect loop.c, but only
the ciphers) is to calculate an IVseed from the key and use
an addition of "IVseed" + "block/sector number" as IV for
the encryption of one block/sector. (This is simplified a
version of the approach suggested by David Wagner.
He suggested to encrypt the block/sector number and
then use the the encrypted sector number as IV.
This seems even more secure, but if the above paragraph
is correct than simply using a sequence, which starts at
an unpredictable point should be enough... Comments ?)
so long
Ingo
PS: I plan to put a revised implementation and patch set of Twofish
on my homepage "http://www.in.tum.de/~rohloff". Please have a look
at the description of the above scheme in my twofish implementation.
I would like to hear some comments about it...
I will do a second version, which implements David Wagners approach,
because after some though I think the performance degradation is less
than I expected at a first glance...
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Oct 23 2000 - 21:00:09 EST