[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Re: SIV as WG item?

To: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Re: SIV as WG item?
From: mcgrew <mcgrew@xxxxxxxxx>
Date: Fri, 18 Jan 2008 10:32:33 -0800
Authentication-results: rtp-dkim-1; header.From=mcgrew@xxxxxxxxx; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: tls@xxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1084; t=1200681167; x=1201545167; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@xxxxxxxxx; z=From:=20mcgrew=20<mcgrew@xxxxxxxxx> |Subject:=20Re=3A=20[TLS]=20Re=3A=20SIV=20as=20WG=20item? |Sender:=20 |To:=20Eric=20Rescorla=20<ekr@xxxxxxxxxxxxxxxxxxxx>; bh=+M6p5SEJVNQB2kT6ZCxvQvw4HGHvXfUSJqxmDGhL1NY=; b=Xy/jAxCfl5qwZ6GFeCXqkrw3Iy+lh90VAybrN0o98LdWOhfEk3/93jpNnk t/33yivfpG7dWmOn+vZCpeCT6GWEWU6NUCW/0CEGSj1yfoIunix1oN0VAPTx j1ypWPGy/L;
In-reply-to: <20080118173617.CC9675081A@xxxxxxxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
Thread-index: AchaAH1fvB7AkMXzEdywnAAUUQnMFg==
Thread-topic: [TLS] Re: SIV as WG item?
User-agent: Microsoft-Entourage/11.2.4.060510

Hi Eric,

On 1/18/08 9:36 AM, "Eric Rescorla" <ekr@xxxxxxxxxxxxxxxxxxxx> wrote:

> At Thu, 17 Jan 2008 10:39:34 -0800,
> mcgrew wrote:
>> Now, returning to the comparison between SIV and the use of CBC in TLS, SIV
>> does well in this competition.  It has the advantage that it does not
>> require any initialization vector.  It avoids the vulnerabilities that CBC
>> has to chosen-plaintext attacks whenever the IV is predictable (as it
>> unfortunately can be in TLS), while not requiring a random IV and not
>> requiring any nonce management.  Not requiring any random source is a nice
>> property.
> 
> 
> David,
> 
> I'm not sure I understand this argument. It's certainly true that
> CBC in TLS needs to be used with an unpredictable IV, but this
> doesn't require an independent random source. Indeed, RFC 4346
> include several suggested methods for generating IVs without one,
> for instance, enciphering a dummy block using the encryption
> key and the CBC state from the previous record.
> 
> -Ekr

Good point, thanks for mentioning it.

David



_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

References:
- Re: [TLS] Re: SIV as WG item?
  - From: Eric Rescorla

Prev by Date: Re: [TLS] Re: SIV as WG item?
Previous by thread: Re: [TLS] Re: SIV as WG item?
Index(es):
- Date
- Thread