[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 40-bit RC5 crack meaningless?
-----BEGIN PGP SIGNED MESSAGE-----
In article <[email protected]>,
Peter Trei <[email protected]> wrote:
>The purpose of an IV is to make dictionary and replay attacks more
>difficult. It is not intended to prevent brute force attacks, and so
>is _normally_ included in the clear in communications protocols (for
>example, see RFC 1827 for it's clear transmission in IPSEC). If it
>is not included, it is effectively part of the keying material, and
>thus adds it's bits to the strength of the key. As such, its value
>would have to be transmitted and protected as carefully as the rest of
>the key.
This is a common mistake. Just use the first block of ciphertext as the IV,
and start decrypting from the second block. Let's say you discover that
key K causes C2,C3,... to decrypt to something intelligible (P2,P3,...),
using C1 as the IV. What could P1 have been? Well, we know that
(if IV is the _actual_ IV, which you don't know) E_K[IV^P1] = C1, so
IV^P1 = D_K[C1]. But we now have what is effectively a one-time pad
situation, where P1 is the plaintext, IV is the pad, and D_K[C1] is the
ciphertext. Thus, if you don't know the IV in a CBC situation, you can
still recover all of the plaintext starting at the second block with
the same amount of work it would have taken to have recovered the whole
plaintext, given the IV (the IV does not in fact add its bits to the
strength of the key), but you learn nothing about the first block
(unless something about the protocol gives you a clue based on your knowledge
of subsequent blocks).
Disclaimer: I've been having a rough week...
- Ian
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMvwT8kZRiTErSPb1AQEqMgQAoM3TW9xyN47aLt5p8BsYMEvWFa+e7sgt
TGZa8DtuPPosciR8J7O2aMbKSvRHoLFFF0bBccC6NSsoVTlBUB2C+gGeMJ4ufk+A
PbPMW1z4JvGyeVYtrEKPweetTl5ZprbbLoS778Pwm+9/RpwZte372B7BkgTvQR+H
QjXuSmuua9c=
=pqWE
-----END PGP SIGNATURE-----