On 12/02/2009 08:43 AM, Gregory BELLIER wrote:
>>> Do we use this last block somewhere else in NSS to justify this
>>> backup ?
>>>
>>
>> Yes, this last block needs to be saved for the next invocation
>> of the CBC encryption function.
>>
>>
> Ok, so now I understand better. The IV is a data which needs to be
> changed after each operation. However, I just asked a colleague who
> knows better than me and he's surprised that the new IV is the
> lastblock. It brings 2 concerns :
>
> 1- The new IV is supposed to be random in this case, it is not. Should
> we be concerned about that ?
No, it's just unpredictable to someone trying to do injection attacks,
which it is here (assuming the attacker doesn't have access to your
internal state).
>
> 2- In the case of SEED, after decryption in the else part, the new IV
> is a part of cleartext :
> http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/freebl/seed.c&mark=521,537,542
>
No, IV's are usually assumed to be publicly know.
>
> Are these 2 points serious ?
This code is a direct result of the definition of CBC. The IV is a
random value used to initiate the CBC. Different IVs will generate
completely different output streams as follows:
CBC => output(n) = Encrypt(data(n) + output(n-1))
if data(0) is the first block, output(-1) is the IV. NOTE: that the 'iv'
for the next block in the sequence is always public because it's the
cipher text block itself.
The functions you are looking at used in a sequence that looks like this
(extreeemly simplified):
cx = Encrypt_Init(key, iv);
Encrypt_Update(cx, data_in, data_out, len);
Encrypt_Update(cx, data_in2, data_out2, len2);
Encrypt_Updata(cx, data_in3, data_out2, len3);
Encrypt_final(cx);
data_in, data_in2, and data_in3 is part of a contiguous input stream and
data_out, data_out2, and data_out3 is part of a contiguous output stream.
bob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
