Subject: Re: crypto(4) and IVs
To: None <tech-crypto@NetBSD.org>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-crypto
Date: 05/29/2005 00:41:20
>> I find that when I do a CIOCCRYPT, the IV is not modified. How am I
>> supposed to get the correct IV for my next call? Do I have to go
>> under the hood and "know" that for the cipher I'm using (3DES_CBC)
>> it's the last block of the encrypted data (output for ENCRYPT, input
>> for DECRYPT)? Or is there something I'm missing?
> In fact, the interface should not do that. There are a number of
> subtle attacks possible if the IV is predictable by the enemy; thus,
> in things like packet-oriented crypto, you should *not* use the last
> block of the previous message as the IV for the next message.
I didn't say anything about packet-oriented. For many cases - such as
encrypting a stream of data in CBC mode one bufferful at a time - you
_do_ want that. For the cases where you don't, I can't see any harm in
returning it (except possibly the minor inconvenience of having to keep
a separate IV buffer around).
And since I can't see any way short of going under the hood - wiring
algorithm-specific knowledge into the code - to figure out what the
next IV should be when you _do_ want to process a single effective
buffer as multiple physical buffers, I think it should do that.
The only downside I can see is that it may tempt people who don't know
what they're doing to design protocols vulnerable to such attacks. But
if you've got a protocol designer who designs crypto protocols based on
what's easy to code using a particular interface, you're dealing with a
sufficient lack of crypto clue that I doubt any interface design will
save you.
As it happens, the use I expect to make of it _will_ be
packet-oriented, but the protocol is already designed and frozen; in
order to interoperate using 3des-cbc at all, I have to implement that
kind of IV chaining. All this interface achieves is to make my life as
an implementer harder; it does not make any security difference at all.
In passing, I have to wonder whether you were just being careless with
language when you wrote "predictable". Chained CBC does not produce a
predictable IV; it produces an unpredictable IV which it then reveals.
Against an adaptive chosen plaintext attack, there is no practical
difference, but against most weaker threat models, I see no reason to
think the difference is unimportant.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse@rodents.montreal.qc.ca
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B