Opened 15 years ago

Closed 15 years ago

#7 closed clarification (fixed)

IV generation

Reported by: pasi.eronen@… Owned by:
Priority: minor Milestone: milestone1
Component: draft-ietf-tls-rfc4346-bis Version: 02
Severity: Keywords:


Page 20-21: Section under IV
The document specifies that the IV SHOULD be generated by method 
(1) or (2) and MAY be generated by an alternate method. There is, 
however, no language forbidding the generation of IVs by a fourth 
unlisted method. If a fourth method is used, the protocol will 
not fail but may be insecure. Therefore we recommend adding 
language forbidding the use of an unlisted method for IV 

Actually the whole text about IVs is quite long, and contains
implementation details that IMHO are likely to confuse rather 
than help an implementer.

How about just replacing the whole text about IVs with 
something like this?


   The Initialization Vector (IV) MUST be chosen at random, and
   MUST be unpredictable. See [SP800-38A] Appendix C for
   RECOMMENDED methods for generating unpredictable IVs.

   It is critical that the IV is not sent before the entire
   plaintext of the record is known; otherwise it is possible for
   the attacker to mount the attack described in [CBCATT].

   Note: In versions of TLS prior to 1.1, there was no IV field,
   and the last ciphertext block of the previous record (the "CBC
   residue") was used as the IV. This was changed to prevent the
   attacks described in [CBCATT].

So "SHOULD be chosen at random, and MUST be unpredictable" looks 
exactly right to me.

Change History (2)

comment:1 Changed 15 years ago by pasi.eronen@…

  • Milestone set to milestone1

comment:2 Changed 15 years ago by ekr@…

  • Resolution set to fixed
  • Status changed from new to closed

Note: See TracTickets for help on using tickets.