Re: 128 bit block ciphers

[Uri Blumenthal <uri@xxxxxxxxxxxxxx>]

dontspam-tzeruch@xxxxxxxxxx says:
> > To add security you need an offset in a generated cryptostream. Which
> > (the offset) necessarily should go in the clear.
> 
> The problem is there is no other way to determine if a key is correct than
> to match the final pairs of bytes in the prefix.  It adds no security, but
> without any means of checksumming the symmetrically encrypted ESKs, you
> can't tell which of the passphrases actually match.  I suggested adding a
> checksum to the SKESK, but that was shot down. 

Hmm... In block ciphers that random prefix does add a little bit of
security and does make a non-zero IV unnecessary. In stream ciphers
prefix does nothing and an IV (or a "stream offset") is a-must.

None of these is really good for checksumming. 
While the existing solution that uses block cipher(s) copes with the 
issue well, stream ciphers throw a monkey wrench into the gears. Yes
it is possible to have both random prefix and random offset,  but it
ain't look nice.

I'm for adding a checksum. Would be more reliable too. [Possibly it's
too late for that... Oh well...]

> So you require a checksum like mechanism in the cryptostream. 

Yup.

> The simplest is to do the same type that the existing CFB system uses. 

Probably.  But is it the best...?
-- 
Regards,
Uri		uri@xxxxxxxxxxxxxx
-=-=-=-=-=-=-
<Disclaimer>