[PYTHON-CRYPTO] PEP 272 version 2

Zooko zooko at zooko.com
Sun Apr 21 12:37:49 CEST 2002


 Paul Rubin <phr-pycrypt at NIGHTSONG.COM> wrote:
>
>     > It has the advantage of being very simple, and not needing special
>     > padding if you want to encrypt a plaintext of 23 bytes or something
>     > like that.  Its disadvantages are that you must never re-use a key,
>
>     Untrue -- you must never re-use a (key, IV) *pair*.  This is the
>     same constraint that CBC, CFB and OFB have as far as I understand.
>     (I'm not very familiar with those modes.)
>
> CTR as normally described doesn't have an IV.  You must never re-use
> a key.

I named the data element "IV" in the letter that you quote in order to compare
the different modes more easily.  (In fact, I had named it "nonce" when
I wrote the letter, which is a more technically accurate name for it, but then
I changed it to "IV" before sending.)

But whatever it is called, it isn't true that you must never re-use a key in
counter mode encryption.  What's true is that you must never re-use a (key,
nonce/counter/IV) *pair*.  (Also you have to be careful not to use nonces
which are near one another and could reach one another by incrementing.)

I'm not writing this to persuade you (Paul Rubin) of anything (you've already
heard my arguments), but to make sure that a reader following this thread
didn't think that I agreed with your repeated assertion that "You must never
re-use a key." in counter-mode encryption.

By the way thanks for informing me about CBC mode's resilience to that usage.

So in an attempt to return to the topic of this list...

> CTR mode is fine if you know what you're doing enough to use it
> properly.  If you don't know what you're doing, you shouldn't be using
> any mode, or at least shouldn't be choosing modes yourself.

Right.  If I were designing crypto modules for Python, I wouldn't offer CTR
mode to the newbie.  I think it should be relegated to secondary status so
that only people who know they want it will find it.

Regards,

Zooko

Zooko.Com -- Security and Distributed Systems Engineering





More information about the python-crypto mailing list