From: <fr...@baggins.org>
I believe this will reeuse the same IV for block2 that it uses for
block1. It will appear to work but is a really bad idea and will lead
to major security problems.
From: "Jeffrey Walton" <noloa...@gmail.com>
You should have a look at Microsft's paper by Neils Ferguson on
Bitlocker's design and implementation. Its a very practical and
approachable paper. It seems to me you problem domain has a lot of
overlap with Bitlocker's requirements.
...
"AES-CBC + Elephant diffuser: A Disk Encryption Algorithm for Windows
Vista,"
http://download.microsoft.com/download/0/2/3/0238acaf-d3bf-4a6d-b3d6-0a0be4bbb36e/BitLockerCipher200608.pdf.
Thanks. I've just read the beginning of the Bitlocker paper. It looks
interesting and I'll read through it.
At present, I'm thinking of doing the following:
1.Generate one 128-bit or 256-bit random master key.
2.Generate one random 128-bit or 256-bit file encryption key and one random
128-bit IV for each file. Encrypt those keys and IVs with the master key and
store them on disk. That is, attackers cannot know the file keys and IVs
from the disk.
3.Use the same key and IV for all 4KB blocks in one file.
But folks here gave me suggestions that different IVs should be used for
each 4KB block. I think I should do that, and I'd like to follow those
precious advice.
(However, I'm wondering if it is really dangerous to use the same IV for all
blocks in a file, because the IVs are random and encrypted.)
Regards
MauMau
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
