Cryptography Reference
In-Depth Information
x
1
x
2
x
3
x
n
⊕
⊕
⊕
⊕
C
IV
C
C
C
y
1
y
2
y
3
y
n
Figure 2.6.
CBC mode.
The initial vector does not have to be secret. There are actually four different ways to
use the IV.
1. Generate a pseudorandom IV which is given in clear with the ciphertext.
2. Generate a pseudorandom IV which is transmitted in a confidential way.
3. Use a fixed IV which is a known constant.
4. Use a fixed IV which is another part of the secret key.
The US standards recommend one of the two first solutions.
There are a few security problems.
Information Leakage by First Block Collisions
If for two different plaintexts the first blocks
x
1
are the same and the IV is fixed, then
there is still a leakage of the equality of these blocks. This is why we prefer having a
random IV.
Integrity Issues
A third party can replace ciphertext blocks so that all but a few plaintext blocks will
decrypt well. This may be an integrity problem.
2.2.3 Output Feedback (OFB)
The plaintext
x
is split into
x
n
, and the ciphertext
y
is the concate-
nation of blocks which are obtained iteratively. We still have an initial vector IV. As
depicted in Fig. 2.7, the encryption obeys the following rules.
-bit blocks
x
1
,...,
x
=
x
1
||
x
2
||···||
x
n
s
1
=
IV
r
i
=
truncL
(
C
(
s
i
))
s
i
+
1
=
truncR
64
(
s
i
||
r
i
)
Search WWH ::
Custom Search