[PYTHON-CRYPTO] things missing from PEP 272

Zooko zooko at zooko.com
Mon Mar 18 22:33:14 CET 2002


 Paul Rubin <phr-pycrypt at NIGHTSONG.COM> wrote:
>
> The IV for counter mode should be an int or long giving the counter
> value.

I think it is a mistake to make the IV a counter, in general, because then you
have to guarantee that you never lose the persistent counter state while
retaining the key after having sent a message encrypted with that counter state.
(I.e., because your key is persistent, your counter state is updated and used in
volatile memory, and your system crashed after sending an encrypted message but
before the counter state update reached non-volatile media.)

The only solutions that I can think of are either to use keys that are
guaranteed to be no more persistent than the IV, or to delay sending encrypted
messages until you get a positive "I'm now durable" signal (yeah right) from the
counter state's persistent store, or better, generate a new random IV on startup.
(You can then increment it for each successive message or generate a new random
one for each successive message.)

Anyway, that's why I think the IV should be a string not an integer.

(BTW, you have the same problem about the persistence of the state used to
generate your randomness, but at least that pushes it out to more widely used
code (i.e. /dev/urandom) which you are already vulnerable to and which more
people are working on, and it is also ameliorated by "adding in fresh entropy"
derived from events after startup.)

Regards,

Zooko

---
                 zooko.com
Security and Distributed Systems Engineering
---





More information about the python-crypto mailing list