On Sep 10, 2013, at 10:57 PM, ianG wrote:
> In a protocol I wrote with Zooko's help, we generate a random IV0 which is
> shared in the key exchange.
>
> http://www.webfunds.org/guide/sdp/sdp1.html
>
> Then, we also move the padding from the end to the beginning, fill it with a
> non-repeating length-determined value, and expand it to a size of 16-31
> bytes. This creates what is in effect an IV1 or second transmitted IV.
>
> http://www.webfunds.org/guide/sdp/pad.html
You should probably look at the Rogoway paper I found after Perry pushed me to
give a reference. Yes, CBC with a true random IV is secure, though the
security guarantee you can get if you don't also do authentication is rather
weak. The additional padding almost certainly doesn't help or hurt. (I won't
say that any more strongly because I haven't look at the proofs.)
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
