Re: crypto(4) and IVs

To: der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>
Subject: Re: crypto(4) and IVs
From: "Steven M. Bellovin" <smb%cs.columbia.edu@localhost>
Date: Sun, 29 May 2005 00:05:46 -0400

In message <200505290104.VAA22460%Sparkle.Rodents.Montreal.QC.CA@localhost>, 
der Mouse wr
ites:
>I've been trying to do useful things with crypto(4) - or more
>precisely, trying to write code to pound on it in the hope of figuring
>out why I'm seeing certain errors when talking to a machine with a
>crypto accelerator in it.
>
>I find that when I do a CIOCCRYPT, the IV is not modified.  How am I
>supposed to get the correct IV for my next call?  Do I have to go under
>the hood and "know" that for the cipher I'm using (3DES_CBC) it's the
>last block of the encrypted data (output for ENCRYPT, input for
>DECRYPT)?  Or is there something I'm missing?
>

In fact, the interface should not do that.  There are a number of 
subtle attacks possible if the IV is predictable by the enemy; thus, in 
things like packet-oriented crypto, you should *not* use the last block 
of the previous message as the IV for the next message.  (Yes, I know 
that RFC 2405 suggests that.  It's wrong.)


                --Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Follow-Ups:
- Re: crypto(4) and IVs
  - From: der Mouse

References:
- crypto(4) and IVs
  - From: der Mouse

Prev by Date: crypto(4) and IVs
Next by Date: Re: crypto(4) and IVs
Previous by Thread: crypto(4) and IVs
Next by Thread: Re: crypto(4) and IVs
Indexes:

Home | Main Index | Thread Index | Old Index