Content deleted Content added
notUndid revision 1176047720 by 2603:6011:6B40:E2:3890:9FD0:CBD6:853A (talk) |
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5 |
||
| (One intermediate revision by one other user not shown) | |||
Line 18:
| volume = 3897
| year = 2005| doi-access = free
| isbn = 978-3-540-33108-7
}}</ref><ref name="ECRYPT">{{cite tech report |author1 = Christophe De Cannière |author2 = Joseph Lano |author3 = Bart Preneel |title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm |institution = ECRYPT Stream Cipher Project |number = 40 |year = 2005 |url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy|WEP]] protocol is a notable example, and is prone to related-IV attacks.
Line 51 ⟶ 52:
== SSL 2.0 IV ==
In [[Block cipher mode of operation#Cipher_block_chaining_(CBC)|cipher-block chaining mode]] (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the [[Block cipher mode of operation#OFB|output feedback mode]] (OFB mode), the IV must be unique.<ref>{{citation |author = Morris Dworkin |title = NIST Recommendation for Block Cipher Modes of Operation; Chapters 6.2 and 6.4 |date = 2001 |url = https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf }}</ref> In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the [[Transport Layer Security#BEAST attack|BEAST attack]].<ref>{{citation |author = B. Moeller |title = Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures |date = May 20, 2004 |url = http://www.openssl.org/~bodo/tls-cbc.txt |access-date = September 1, 2014 |archive-date = June 30, 2012 |archive-url = https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt |url-status = dead }}</ref>
== See also ==
| |||