Re: [PATCH] Delete cryptoloop

From: Jack Lloyd
Date: Thu Jul 22 2004 - 09:59:52 EST


On Thu, Jul 22, 2004 at 02:14:42PM +0000, H. Peter Anvin wrote:

> So does cryptoloop use a different IV for different blocks? The need
> for the IV to be secret is different for different ciphers, but for
> block ciphers the rule is that is must not repeat, and at least
> according to some people must not be trivially predictable. One way
> to do that is to use a secure hash of (key,block #) as the IV.

Using an HMAC for this (with the input being the block #) seems like a better
idea, as there is less risk of leaking bits of the key if any attack on the
hash is found. Since secure hash == SHA-1 or better, you would have to truncate
it to use as an IV for a 64 or 128 bit cipher, which would make it harder for
someone looking at the IVs to make a guess on the key, but HMAC is pretty
cheap.

For block ciphers in CBC mode, simply not repeating and being somewhat
non-predictable is sufficient. That's easy enough.

For something like, say, counter mode, you have to make sure that they never
overlap; not only will a repeated IV cause trouble, but if one block is
encrypted with a particular IV, and another block is encrypted with IV + n
(viewing them as integers), then you'll leak some of the plaintext, because the
cipher stream will get reused. The obvious solution is to just use the (block
ID << log2(sector_size)) as the IV. The IV doesn't have to be unpredictable at
all for counter mode. The shift is needed, otherwise the second block of sector
2 will be encrypted with the same counter as the first block of sector one.

I'm not aware of any cipher or cipher mode where the IV or nonce has to be kept
secret from an attacker.

Jack
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/