On 18 June 2013 19:22, Jakob Bohm <jb-open...@wisemo.com> wrote: > Fundamentally, every CBC block except the first will use what you call a > "predictable" IV, namely the previous ciphertext block. To make any sense > security arguments about this need to be very clear about what is > and is not vulnerable.
Your clarification on when an IV becomes "predictable" is a useful build on the discussion > > Summarily telling anyone using CBC to never chain on from one message to > the next and/or to switch to inherently less secure modes such as CTR just > to avoid an attack that has so many other countermeasures is very > bad advise, especially when done in a public forum, which is why I could not > allow your bad arguments to stand unopposed. I don't accept that CTR is "inherently less secure" than CBC. Both have their strengths and weaknesses, and arguments can be made either way. >> Agreed. CTR is a good mode if you use it right and understand its >> limitations. If you abuse it you are in for a lot of trouble. But then >> that is probably true of crypto generally. I would also strongly >> advise that anyone using CTR (or CBC for that matter) properly >> consider integrity issues. >> > > I have not seen any attacks on the "CBC IV problem" that were at all > preventable by integrity checks. > > I have seen and used techniques that prevent the issue in a way which > is entangled with integrity checks, but the prevention is not due to > the integrity protection itself. > I was not intending to imply that my statement around integrity solves the CBC IV problem. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
