Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread David Wagner
Jerry Leichter wrote: > CTR mode is dangerous unless you're also doing message authentication, Nitpick: That's true of CBC mode, too, and almost any other encryption mode. Encryption without authentication is dangerous; if you need to encrypt, you almost always need message authentication as w

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread Chris Palmer
Ralph Holz writes: > He wanted to scrape off some additional bits when using AES-CBC because > the messages in his concept are very short (a few hundred bit). So he I'd rather have a known-safe design than to save 12 bytes. Seriously: what the hell. Say you have 1-byte messages, and that the cr

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread Peter Gutmann (alt)
Ralph Holz writes: >CTR mode seems a better choice here. Without getting too technical, security >of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC >mode requires IVs to be random. Unfortunately CTR mode, being a stream cipher, fails completely if the IV's/keys aren't

Re: Question w.r.t. AES-CBC IV

2010-07-10 Thread Peter Gutmann
Ralph Holz writes: >CTR mode seems a better choice here. Without getting too technical, security >of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC >mode requires IVs to be random. Unfortunately CTR mode, being a stream cipher, fails completely if the IV's/keys aren't

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Jerry Leichter
On Jul 9, 2010, at 1:55 PM, Jonathan Katz wrote: CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC mode requires IVs to be random. In either case, a problem with a short IV (no matter wha

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Steven Bellovin
On Jul 9, 2010, at 1:55 12PM, Jonathan Katz wrote: > CTR mode seems a better choice here. Without getting too technical, security > of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC > mode requires IVs to be random. > > In either case, a problem with a short IV (no

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Greg Rose
Unfortunately I can't remember the author, but there was a paper showing that an encrypted counter was secure to use as IVs for CBC mode. So encrypting a shorter random IV should also be secure. Greg. On 2010 Jun 2, at 9:36 , Ralph Holz wrote: Dear all, A colleague dropped in yesterday an

Re: Question w.r.t. AES-CBC IV

2010-07-09 Thread Jonathan Katz
CTR mode seems a better choice here. Without getting too technical, security of CTR mode holds as long as the IVs used are "fresh" whereas security of CBC mode requires IVs to be random. In either case, a problem with a short IV (no matter what you do) is the possibility of IVs repeating. If y