Marc Mutz  wrote:
>> There are some who believe that "not unique" IVs (across multiple
>> filesystems) facilitates some methods of cryptanalysis.
>
>Do you have a paper reference?

There's no paper, because it's too trivial to appear in a paper.
But you can find this weakness described in any good crypto textbook.
See, e.g., Bruce Schneier's _Applied Cryptography_; the section on
CBC mode says that IV's must not repeat.  (However, it does get one
thing wrong: it claims that it's ok to use a serial number for your
IV.  This is not correct, and I can give a reference for this latter,
subtler point, if you like.)

>As CTR mode _requires_ unique IVs (CBC does not),

Sorry, that turns out not to be the case.  Both CBC and CTR mode
require unique IV's (for security).

>the upper half of the
>IV could be initialized from the key

It's a bad idea to include key material in your IV.  (Kerberos did
it, and there were some attacks as a result.)  I recommend against it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/

Reply via email to