Re: [TLS] Re: SIV as WG item?

[Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>]

At Thu, 17 Jan 2008 10:39:34 -0800,
mcgrew wrote:
> Now, returning to the comparison between SIV and the use of CBC in TLS, SIV
> does well in this competition.  It has the advantage that it does not
> require any initialization vector.  It avoids the vulnerabilities that CBC
> has to chosen-plaintext attacks whenever the IV is predictable (as it
> unfortunately can be in TLS), while not requiring a random IV and not
> requiring any nonce management.  Not requiring any random source is a nice
> property.


David,

I'm not sure I understand this argument. It's certainly true that
CBC in TLS needs to be used with an unpredictable IV, but this
doesn't require an independent random source. Indeed, RFC 4346
include several suggested methods for generating IVs without one,
for instance, enciphering a dummy block using the encryption
key and the CBC state from the previous record. 

-Ekr


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls