[PYTHON-CRYPTO] aes library
Paul
Paul at CRYPTORIGHTS.ORG
Sat Apr 20 23:23:33 CEST 2002
At 5:32 AM -0700 4/20/02, Zooko wrote:
> two weeks ago, on Apr 5, Paul Rubin <phr-pycrypt at NIGHTSONG.COM> wrote:
>>
>> ECB, CBC, CFB and OFB are described here:
>>
>> http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q82.html
>> http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q83.html
>>
>> CTR is done by just encrypting the blocks 0001, 0002, 0003, ...
>> and xoring the resulting stream against the plaintext stream.
>>
>> It has the advantage of being very simple, and not needing special
>> padding if you want to encrypt a plaintext of 23 bytes or something
>> like that. Its disadvantages are that you must never re-use a key,
>
>Untrue -- you must never re-use a (key, IV) *pair*. This is the same
>constraint that CBC, CFB and OFB have as far as I understand. (I'm not very
>familiar with those modes.)
>
>> and it is somewhat more subject to ciphertext modification attacks
>> than other modes. Flipping a single bit in the ciphertext results in
>> flipping the same bit in the plaintext without disturbing the
>> surrounding bits.
>
>This is true, but it isn't a novel vulnerability so much as a more dramatic
>version of a vulnerability that all the modes under discussion share. One
>really should not rely on the bit-disturbing properties of the other modes,
>either. If you want non-malleability or authentication or whatever, then you
>need to use an algorithm that guarantees it, not rely on some bit-disturbing
>side effect of your encryption mode.
Yes ... repeated IV totally breaks CTR. For CBC, it's a very very
minor risk that at worst may expose that two encrypted items are
similar.
>
>
>By the way, I'm a lot less positive about CTR mode after the conversation
>about it between you (Paul Rubin), Bram Cohen and I on this list a few weeks
>ago. All three of us, experienced crypto hackers all, made substantial errors
>about usage (management of the key and IV). I think this demonstrates that it
>really is harder for people to use CTR mode properly.
It also shows why IV should be part of the algorithm processing and
not a parameter.
Paul
--
More information about the python-crypto
mailing list