[PYTHON-CRYPTO] aes library

Paul Paul at CRYPTORIGHTS.ORG
Sat Apr 20 23:23:33 CEST 2002


At 5:32 AM -0700 4/20/02, Zooko wrote:
>  two weeks ago, on Apr 5, Paul Rubin <phr-pycrypt at NIGHTSONG.COM> wrote:
>>
>>  ECB, CBC, CFB and OFB are described here:
>>
>>  http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q82.html
>>  http://www.iks-jena.de/mitarb/lutz/security/cryptfaq/q83.html
>>
>>  CTR is done by just encrypting the blocks 0001, 0002, 0003, ...
>>  and xoring the resulting stream against the plaintext stream.
>>
>>  It has the advantage of being very simple, and not needing special
>>  padding if you want to encrypt a plaintext of 23 bytes or something
>>  like that.  Its disadvantages are that you must never re-use a key,
>
>Untrue -- you must never re-use a (key, IV) *pair*.  This is the same
>constraint that CBC, CFB and OFB have as far as I understand.  (I'm not very
>familiar with those modes.)
>
>>  and it is somewhat more subject to ciphertext modification attacks
>>  than other modes.  Flipping a single bit in the ciphertext results in
>>  flipping the same bit in the plaintext without disturbing the
>>  surrounding bits.
>
>This is true, but it isn't a novel vulnerability so much as a more dramatic
>version of a vulnerability that all the modes under discussion share.  One
>really should not rely on the bit-disturbing properties of the other modes,
>either.  If you want non-malleability or authentication or whatever, then you
>need to use an algorithm that guarantees it, not rely on some bit-disturbing
>side effect of your encryption mode.

Yes ... repeated IV totally breaks CTR. For CBC, it's a very very
minor risk that at worst may expose that two encrypted items are
similar.

>
>
>By the way, I'm a lot less positive about CTR mode after the conversation
>about it between you (Paul Rubin), Bram Cohen and I on this list a few weeks
>ago.  All three of us, experienced crypto hackers all, made substantial errors
>about usage (management of the key and IV).  I think this demonstrates that it
>really is harder for people to use CTR mode properly.


It also shows why IV should be part of the algorithm processing and
not a parameter.

Paul

--





More information about the python-crypto mailing list