Cryptography Reference
In-Depth Information
The Header Structure
The CBC mode requires a random initialization vector that can be accom-
modated in a header. I used this in RC5a for building in a checksum (as
described in Section 5.1.3) and the version number in this header. Again, this
is programmed a little willfully:
The header of an encrypted file consists of six plaintext blocks (i.e., 48 bytes).
The first four blocks are random (more about this in a minute); the fifth block
contains the version and release numbers (the version in half block
A
and the
release in
B)
; and the sixth block contains a checksum.
The first four blocks are filled in the machine-dependent function
make
random()
. I use the output of the UNIX command
ps
with those options that
list the largest amount of information about all processes running in the system
(start time, process number, addresses, owners, states, etc.). Even if you are the
only user of a UNIX system, many processes can be active so that the output
of the command cannot be predicted. Though the execution of the command
costs some time, I didn't find this to be a disturbance.
The
make random()
function compresses a long field,
B
0
...n
, to four blocks,
F
0
...
3
, by the formula
⊕
F
k% 4
=F
k% 4
A
A=A
⊕
(B
k
<<< A)
where
k%4
is the divisional remainder when dividing
k
by 4,
B
k
is a 32-bit
word from the field (the output of
ps
), and
A
is a 32-bit word. Neither
A
nor
F
is initialized.
The background is a sufficiently strong mixing of the bits of
B
. Careful cryptog-
raphers would use a hash function at this point, but I think that's just introducing
unnecessary overhead. The computation of the checksum is just as easy (see
the
check head()
function). Its main purpose is also to provide a sufficiently
probable pretest for a password rather than cryptographic security — and it does
meet this requirement.
The header is encrypted in ECB mode. During the decryption, RC5a first checks
the checksum and then the version and release numbers. In the event that the
ciphering mode or the algorithm change, then future versions should be able
to decrypt all previous versions based on the version and release numbers. It
