On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote: > CTR mode seems a better choice here. Without getting too technical, security > of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC > mode requires IVs to be random. > > In either case, a problem with a short IV (no matter what you do) is the > possibility of IVs repeating. If you are picking 32-bit IVs at random, you > expect a repeat after only (roughly) 2^16 encryptions (which is not very > many). >
Unless I misunderstand your point, I think that in the real world there's a very real difference in the insecurity of CBC vs CTR if the IV selection is faulty. With CBC, there is semantic insecurity, in that one can tell if two messages have a common prefix if the IV is the same. Furthermore, if the IV is predictable to the adversary under certain circumstances some plaintext can be recovered. With CTR, however, there are very devastating two-message attacks if the IVs are the same; all that's necessary is some decent knowledge of some probable plaintext. --Steve Bellovin, http://www.cs.columbia.edu/~smb --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com