[krbdev.mit.edu #2229] IV problem with AES (krb5-1.3.2 beta2)
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Thu Feb 12 15:00:34 EST 2004
On Thursday, Feb 12, 2004, at 08:14 US/Eastern, Wyllys Ingersoll via RT
wrote:
> 3DES does not appear to have the same problem. One (admittedly ugly)
> fix would be to have dk_encrypt/decrypt check the enctype before
> updating the IV and only do it for 3DES.
Right on both counts ... it is a simple fix, and it's ugly. :-)
> For AES, is it correct to use the final block as the next IV
> (currently being done in dk_encrypt/decrypt) or the n-2 block
> (which is what happens in aes.c) ? Because CTS is an odd mode
> that swaps the final 2 blocks, it makes choosing the IV a little
> trickier.
Having the last block be incomplete makes things even trickier if you
use it. The updated drafts getting submitted clarify that for AES-CTS
it's the next to last block (the one that would be the final block in
"normal" CBC if it were not for the swap).
> Why was CTS chosen again??? :)
Dropping the padding, especially for AES with its larger block size.
And to widen the spec and exercise the code so that we can deal with
something that isn't plain old CBC with padding, which clearly is
giving us a little trouble...
Ken
More information about the krb5-bugs
mailing list