Watson Ladd <watsonbl...@gmail.com>: The use of predictable IVs in TLS 1.0 was first commented on by > Rogaway in 1995. (I'm hunting down the source, but this is from a > presentation of Patterson)
I think you mean http://web.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt, which discussed the problem of predictable IVs in the context of work towards IPSEC, without making the connection to SSL. Note that this was before TLS 1.0 and, I think, before SSL 3.0. SSL 2.0 already had predictable CBC IVs but placed the MAC before the payload in the to-be-encrypted data, which, through sheer luck, avoided the problem. Bodo
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
