## New methods in hard disk encryption (2005)

Citations: | 6 - 0 self |

### BibTeX

@TECHREPORT{Fruhwirth05newmethods,

author = {Clemens Fruhwirth},

title = {New methods in hard disk encryption},

institution = {},

year = {2005}

}

### OpenURL

### Abstract

This work investigates the state of the art in hard disk cryptography. As the choice of the cipher mode is essential for the security of hard disk data, we discuss the recent cipher mode developments at two standardisation bodies, NIST and IEEE. It is a necessity to consider new developments, as the most common cipher mode – namely CBC – has many security problems. This work devotes a chapter to the analysis of CBC weaknesses. Next to others, the main contributions of this work are (1) efficient algorithms for series of multiplications in a finite field (Galois Field), (2) analysis of the security of password-based cryptography with respect to low entropy attacks and (3) a design template for secure key management, namely TKS1. For the latter, it is assumed that key management has to be done on regular user hardware in the absence of any special security hardware like key tokens. We solve the problems arising from magnetic storage by introducing a method called anti-forensic information splitter. This work is complemented by the presentation of a system implementing a variant

### Citations

1330 | P.: Random oracles are practical: A paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...e reduce the latency of the system. Provable security A methodology first explicitly formulated by Bellare and Rogaway is the proof of the security of cipher mode by the use of the randomoracle model =-=[BR93]-=-. For cipher primitives, the distinguishing attack class aims to cover all other attacks, like known plaintext, chosen plaintext, chosen ciphertext and so on. Cryptographers are cautious people, and t... |

1173 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...in plaintext by finding the point, where the ciphertext starts to differ. This weakness can only be cured when the encryption is randomised. A general approach to probabilistic encryption is given in =-=[GM84]-=-. In brief, a random salt is added to the encryption result, making the ciphertext larger than the plaintext. With this expansion, it is possible to map the same plaintext to multiple ciphertexts. So,... |

781 |
Applied Cryptography, Protocols, Algorithms and Source Code in C
- Schneier
- 1996
(Show Context)
Citation Context ...domly. Here it is deduced from key material. 3 The name of this mode comes from Colin Plumb, who proposed this mode on the Linux Kernel Mailing List. Bruce Schneier also mentions this construction in =-=[Sch96]-=- p. 224, but does not give a name for it, so we will refer to it as Plumb-IV.sCHAPTER 4. CBC ATTACKS 60 see (3.3). First, all plaintext blocks from 2 to n are recovered. This is possible as C1 . . . C... |

525 | Finite Fields - Lidl, Niederreiter - 1997 |

448 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2006
(Show Context)
Citation Context ...opaque, but the price for this is that all sectors of these larger structures have to be accessed when a single sector is read or written. 4.5 Malleability Non-malleable cryptography is introduced in =-=[DDN98]-=-. It is an extension of the already strong notation of semantically secure cryptography as defined by [GM84]. Informally, malleability is defined, that given a ciphertext E(α), the chance of generatin... |

329 |
New hash functions and their use in authentication and set equality
- Wegman, Carter
- 1981
(Show Context)
Citation Context ...any parallelisation. CWC is the attempt to replace the MAC component by the parallelisable “Carter-Wegmen” scheme for a Message Authentication Code. The theoretical foundation for this MAC is laid in =-=[WC81]-=-. The authentication tag T is computed as the result of a polynomial under mod 2 127 − 1 for a given x, and a series of coefficients Y1 . . . Yn corresponding to the message represented as 96-bit inte... |

221 | Authenticated encryption: Relations among notions and analysis of the generic composition paradigm
- Bellare, Namprempre
- 2000
(Show Context)
Citation Context ...The encryption and the authentication is done independently. The result is provided separately as AK(M) || EK(M). Most cipher modes we encounter are of the type “encrypt-then-mac”. By the findings of =-=[BN00]-=-, the encrypt-then-mac construction always achieves the desired security, while encrypt-and-mac does not. Also for the mac-thenencrypt scheme, its security is not as guaranteed as for encrypt-then-mac... |

125 | Secure deletion of data from magnetic and solid-state memory
- Gutmann
(Show Context)
Citation Context ...tire value domain. To make this scheme better implementable, the coefficients should be elements of a Galois Field. 5.2 Anti-forensic data storage 5.2.1 The problem with magnetic storage According to =-=[Gut96]-=-, hard disks have a very long memory. Even if data appears to be gone, even if the disk has been reinitialised with zeros, even if you invoked the security-erase ATA command of your IDE hard disk, dat... |

118 |
Practical Cryptography
- Ferguson, Schneier
- 2003
(Show Context)
Citation Context ...ticated and unencrypted it is a target for potential manipulation. When negotiating the IV, the receiver has to make sure that the IV is authentic. Ways for secure CBC IV negotiation are described in =-=[FS03]-=-. What is also important about a cipher mode design is its parallelisation characteristic. This is especially interesting for hard disk encryption, because usual hard ciphers cannot keep pace with the... |

113 |
Introduction to combinatorial mathematics
- Liu
- 1968
(Show Context)
Citation Context ...6], pp. 70.sCHAPTER 5. PASSWORD MANAGEMENT 74 5.1.3 Threshold schemes Even though any combination can be built by disjunction and conjunction, it has limitations. Consider the problem posed by Liu in =-=[Liu68]-=-, Eleven scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if six or more scientists are present. What is the sm... |

106 | Encryption modes with almost free message integrity
- Jutla
- 2001
(Show Context)
Citation Context ...ing in plaintext, so it does not infer with the encryption process. This technique is already included at cipher level in recent cipher designs. 3.4.7 IAPM IAPM is a refinement of IACBC introduced in =-=[Jut00]-=-. Instead of recursion, IAPM uses Si as pre- and post-whitening value. The resulting construction E(Pi ⊕ Si) ⊕ Si is similar to the tweakable cipher mode construction given by Liskov, Rivest and Wagne... |

75 |
Computer Organization and Design by
- Patterson, John
(Show Context)
Citation Context ...c applications 13 according to http://top500.org 14 FLOPS are not suitable as base for comparisons in every aspect. For a more in-depth treatment about the art of benchmarking, we refer the reader to =-=[PH97]-=-. We still use FLOPS, as the aspects of hardware specialisation are addressed separately. 15 http://www.tech-report.com/reviews/2002q1/northwood-vs-2000/index.x?pg=3, http://www.tech-report.com/review... |

66 | A Tweakable Enciphering Mode
- Halevi, Rogaway
(Show Context)
Citation Context ...icular, LRW-AES uses Galois Field multiplications, that are considered in the security proof in [BGKM03]. 3.6.2 EME: ECB-mix-ECB EME is a parallelisable cipher mode developed by Halevi and Rogaway in =-=[HR03a]-=-. EME can be decomposed into 5 stages involving 3 complete traversals of the data. At key setup, L is computed as L = Ek(0 :n ). 22 1. preprocessing by XORing L ⊗ 2 n into the plaintext block Pn. 2. e... |

59 | Fast encryption and authentication: XCBC encryption and XECB authentication modes
- Gligo, Donescu
(Show Context)
Citation Context ... that provide authentication with a single block cipher call per plaintext blocks. In contrast, all ETA constructions have to use two. 3.4.11 XCBC-XOR XCBC-XOR is a descendant of XCBC as specified in =-=[GD00b]-=- 18 . First, we will describe XCBC and later see how it is combined with an XOR sum to ensure authenticity. XCBC builds upon CBC, but post-processes the blocks by adding a whitening value, hence any e... |

43 | An FPGA Implementation and Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists,’’ AES3: The Third Advanced Encryption
- Elbirt
- 2000
(Show Context)
Citation Context ...ffers a hand-optimised AES library [Lip]. It is the fastest implementation on Intel at the time of this writing. A block is encrypted at 254 cycles/block. The fastest FPGA implementation presented in =-=[EYCP00]-=- is able to deliver an encrypted block in only 2.1 cycles. To summarise: We found a specialisation advantage of magnitude 1:10 for SHA1, 1:5 for MD5 and 1:100 for AES. There are real world examples of... |

42 | A Parallelizable Enciphering Mode
- Halevi, Rogaway
(Show Context)
Citation Context ...icular, LRW-AES uses Galois Field multiplications, that are considered in the security proof in [BGKM03]. 3.6.2 EME: ECB-mix-ECB EME is a parallelisable cipher mode developed by Halevi and Rogaway in =-=[HR03a]-=-. EME can be decomposed into 5 stages involving 3 complete traversals of the data. At key setup, L is computed as L = Ek(0 :n ). 22 1. preprocessing by XORing L ⊗ 2 n into the plaintext block Pn. 2. e... |

41 |
The random oracle methodology
- Canetti, Goldreich, et al.
- 1985
(Show Context)
Citation Context ... terms negotiations. It simply does not pay off. For instance, there are many free two-pass authenticated encryption modes, but also many one-pass patented modes. Choosing a two-pass design over a 12 =-=[CGH04]-=- shows that things are not as straight forward. Canetti, Goldreich and Halevi give a class of protocols that result is an insecure cipher mode, when their random oracle is replaced by a real implement... |

37 | Fast hashing on Pentium
- Bosselaers, Govaerts, et al.
- 1996
(Show Context)
Citation Context ...hash functions. An MD4-family hash has 3 to 5 rounds, each consisting of 16 steps – except SHA1, which has 20 steps. The members of the MD4-family are different in their step function. The authors of =-=[BGV96]-=- have done a good job on optimising every cycle out of their implementations for the MD4-family on the Pentium architecture. The results 16 are a 837 cycles/block SHA1 implementation and a 337 cycles/... |

32 |
How to share a secret”, Communication
- Shamir
- 1979
(Show Context)
Citation Context ... secret, if at minimum k secret fragments out of n are available. A threshold scheme can be constructed by the means of an algebraic system of polynomials. An example of such a scheme is developed in =-=[Sha79]-=-. A polynomial of order k − 1 f(x) = ak−1 x k−1 + ak−2 x k−2 + · · · + a1 x + a0 with a1 . . . ak−1 random constants and a0 equal to the secret can be used to implement the threshold scheme. This poly... |

31 | CWC: A high-performance conventional authenticated encryption mode
- Kohno, Viega, et al.
- 2004
(Show Context)
Citation Context ...+1) � �� � P2 mod 2 127 − 1 (3.6) P1 and P2 can be evaluated in parallel by the original algorithm. After that, the results are combined with P1 x + P2. The cipher mode is presented in more detail in =-=[KVW03]-=- including a security proof. 3.4.5 GCM: Galois Counter Mode GCM tries to hone the properties of CWC even more. GCM utilises Galois Field multiplications to hash additional authentication data with a u... |

27 | Hash function balance and its impact on birthday attacks
- Bellare, Kohno
- 2004
(Show Context)
Citation Context ...e mathematical fact, that is very likely to see duplicate keys – when chosen randomly – after having seen √ 2 n keys (n is the key size). A more in-depth treatment of the birthday paradox is given in =-=[BK04]-=-. 4.2.4 Extending the attack Another information is available to the attacker. Any succeeding identical pair of ciphertext, that follows the initial identical cipher pair, hints that the corresponding... |

21 | A fast large block cipher for disk sector encryption
- Mercy
- 2000
(Show Context)
Citation Context ...ock cipher instead of a wide cipher mode, [BR99], [Luc96], but none of them is suitable for hard disk encryption, because either they are not tweakable or have certificational weaknesses according to =-=[Cro00]-=-. [Cro00] also introduces a wide block cipher named Mercy, that aims to close all these gaps. Unfortunately, it has other problems, and was successfully crypt-analysed by Fluhrer in [Flu01]. 21 The fu... |

20 |
The Extended Codebook (XCB) Mode of Operation. Cryptology ePrint Archive, Report 2004/278
- McGrew, Fluhrer
- 2004
(Show Context)
Citation Context ... encrypted at the third round of the Luby-Rackoff cipher utilising the A as IV of a counter mode key stream, just like in ABL. XCB features nearly a single cipher block invocation per block. See also =-=[MF04]-=- or [MF05]. 3.7 NIST: Authentication modes As authentication modes play a minor rule in hard disk encryption, we have a look at only three of them. Two of them have counterparts as authenticated encry... |

16 | Nonce-based symmetric encryption
- Rogaway
(Show Context)
Citation Context ...ight use distinguishing attacks against the cipher mode, when a predictable IV is used for a cipher mode that requires an unpredictable one. An example for a distinguishing attack for CBC is given in =-=[Rog04]-=-. Uniqueness A cipher mode might require the IV to be unique. The implications, if this requirement is violated, are different. See below. We distinguish the following types of initialisation vectors:... |

15 | On the Construction of Variable-Input-Length Ciphers. FSE
- Bellare, Rogaway
- 1999
(Show Context)
Citation Context ... Field multiplication for H. LRW-AES, sometimes referred to as LRW-AES-32, is drafted by SISWG in [Ken04]. 20 A few proposals were made to construct a wide block cipher instead of a wide cipher mode, =-=[BR99]-=-, [Luc96], but none of them is suitable for hard disk encryption, because either they are not tweakable or have certificational weaknesses according to [Cro00]. [Cro00] also introduces a wide block ci... |

13 | A conventional authenticatedencryption mode
- Bellare, Rogaway, et al.
- 2003
(Show Context)
Citation Context ...relative in the previous section. This change removes the requirement for the sender to know the message size in advance. The block cipher calls are almost identical to CCM. EAX has been presented in =-=[BRW03]-=-. 3.4.4 CWC The counter mode part of EAX and CCM can be processed in parallel, but OMAC and CBC-MAC are still recursive constructions that prevent any parallelisation. CWC is the attempt to replace th... |

13 | Prediction and entropy of printed - Shannon - 1951 |

11 | BEAST: A fast block cipher for arbitrary block sizes
- Lucks
- 1996
(Show Context)
Citation Context ...ultiplication for H. LRW-AES, sometimes referred to as LRW-AES-32, is drafted by SISWG in [Ken04]. 20 A few proposals were made to construct a wide block cipher instead of a wide cipher mode, [BR99], =-=[Luc96]-=-, but none of them is suitable for hard disk encryption, because either they are not tweakable or have certificational weaknesses according to [Cro00]. [Cro00] also introduces a wide block cipher name... |

7 | Block chaining modes of operation
- Knudsen
- 2000
(Show Context)
Citation Context ...blocks P1 . . . Pi, while decryption can be written as a function of only two blocks. For a discussion of the advantages and disadvantages of having a cipher mode with infinite error propagation, see =-=[Knu00]-=-. AREA works by appending a value L to the plaintext stream. If decryption is infinitely error propagating, then a bit-change in any Ci will cause the last blocks plaintext Pn to change, as Pn is depe... |

6 |
Paar: “An FPGA Implementation and Performance Evaluation of the AES Block Cipher Candidate Algorithm Finalists
- Elbert, Yip, et al.
(Show Context)
Citation Context ...ffers a hand-optimised AES library [Lip]. It is the fastest implementation on Intel at the time of this writing. A block is encrypted at 254 cycles/block. The fastest FPGA implementation presented in =-=[EYCP00]-=- is able to deliver an encrypted block in only 2.1 cycles. To summarise: We found a specialisation advantage of magnitude 1:10 for SHA1, 1:5 for MD5 and 1:100 for AES. There are real world examples of... |

6 |
On Message Integrity
- Stubblebine, Gligor
- 1992
(Show Context)
Citation Context ..., it is reasonable to use such a simple checksum mechanism. In general, an implementor should not try to glue an arbitrary MDC to an encryption algorithm and hope it will result in a secure solution. =-=[GD00a]-=- gives insights about the different types of security goals that can be achieved by those synthetic construction. 3.4.2 CCM: CBC-MAC with Counter CCM’s security function is AEAD, so it cannot only aut... |

5 | faster hashing on the Pentium
- Bosselaers, “Even
- 1997
(Show Context)
Citation Context .../reviews/2001q2/pentium4-1.7/index.x?pg=4, http://www.tech-report.com/reviews/2001q1/p4-vs-athlon/index3.x, http://www.hardwareanalysis.com/content/reviews/article/1475.5/ 16 after the refinements in =-=[Bos97]-=-sCHAPTER 5. PASSWORD MANAGEMENT 83 on FPGAs [Hel]. They claim that their cores achieve a speed of 65 cycles/block for MD5 and 82 cycles/block for SHA1. A similar speed is provided by a SHA1 core on op... |

5 |
The Galois/Counter Mode of Operation (GCM). http://csrc.nist.gov/Crypto Toolkit/modes/ proposedmodes/gcm
- McGrew, Viega
- 2004
(Show Context)
Citation Context ...8 ) is a field like Z, the same polynomial computation reordering can take place as for CWC. Hence, this mode is parallelisable. For more in depth information, the reader is referred to the GCM paper =-=[MV]-=-. 3.4.6 IACBC IACBC stands for Integrity Aware Cipher Block Chaining and is introduced in [Jut01]. IACBC implements regular CBC with a post-whitening step of the ciphertext with Si. Si is composed of ... |

4 |
RMAC: A randomized MAC beyond the birthday paradox limit.” Available at http://csrc.nist.gov/encryption/modes/proposedmodes
- Jaulmes, Joux, et al.
(Show Context)
Citation Context ...ame plaintext will result in different MAC values. The MAC is said to be randomised. This property is shared only by XECB-MAC among the NIST proposals. For more information, the reader is referred to =-=[JJV]-=-. 3.7.2 XECB-MAC Most MAC schemes we discussed so far are a descendants of CBC-MAC. With XECB we encounter a MAC scheme that comes from the class of XOR MACs. In general, an XOR MAC operates by 1. spl... |

4 |
Draft Proposal for Tweakable Narrow-block Encryption
- Kent
- 2004
(Show Context)
Citation Context ...tics 21 . Cn = Ek(Pi ⊕ H(T )) ⊕ H(T ) LRW-AES utilises this construction method by filling in a Galois Field multiplication for H. LRW-AES, sometimes referred to as LRW-AES-32, is drafted by SISWG in =-=[Ken04]-=-. 20 A few proposals were made to construct a wide block cipher instead of a wide cipher mode, [BR99], [Luc96], but none of them is suitable for hard disk encryption, because either they are not tweak... |

4 |
Fundamental concepts of algebra
- Meserve
- 1953
(Show Context)
Citation Context ...he simplest case, where a modulo operation might happen. Before we have a look at the modulo mechanics at work here, we remember the division definition, that also defines modulo results. As given in =-=[Mes82]-=-,sCHAPTER 2. DESIGN INGREDIENTS 8 Proposition 3 If s and r are two polynomials over a field, then there are two unique polynomials p and q, where q < r, so that s = p r + q. r is the reduction polynom... |

4 |
Special Publication 800-38A, Recommendation for Block Cipher Modes of Operation
- NIST
(Show Context)
Citation Context ...ption IV + i Si Pi Ci Ek ... ... ... ... Figure 3.4: CTR Mode encryption m-bits stream blocks Si. However, special care must be taken that the values used in the key stream generation are unique. See =-=[NIS03b]-=- and Section 3.8.1. As we will see in Section 4, the idea of using a counter for IV generation is used in a hybrid design with CBC to realise random-accessible data. 3.2 Modes for authentication The p... |

3 |
ManTiCore: Encryption with joint cipher-state authentication, 2003. Cryptology ePrint Archive 2003/154, available at http: //eprint.iacr.org
- Beaver, Draelos, et al.
- 2003
(Show Context)
Citation Context ...text used for encryption is not altered. The concrete algorithm also includes special cases for encryption-only, as well detects weak whitening values (all-zero). The interested reader is referred to =-=[BDST03]-=-. 3.4.10 PCFB Propagating CFB (PCFB) is a slightly modified version of the regular CFB mode. Instead of using the shift register entirely for ciphertext, it is partially run in output feedback mode. A... |

3 |
The Average Cycle Size of the Key Stream
- Davies, Parkin
- 1983
(Show Context)
Citation Context ...: CFB Mode encryption The key stream of OFB is generated by S0 = IV Si = Ek(Si−1) m-bits m-bits when m = n. No other setting is stated here, as no other setting should be used. m < n is insecure, see =-=[DP83]-=-, and choosing m < n also raises the computation burden for this mode. A nice property of OFB is that key material can be generated in advance. An idle processor could fill a key material cache for da... |

3 |
RFC 2898 - PKCS #5: Password-based cryptography specification
- Kaliski
(Show Context)
Citation Context ... derivation function, as they are well defined for variable sized inputs such as passphrases. To make them CPU intensive, one has just to iterate them a number of times. PBKDF2 (presented in RFC 2898 =-=[Kal97]-=-) is based on this idea. PBKDF2 stands for “password-based key derivation function, revision 2”. When iterating the hash function h, we have to assure that by repeatedly applying it the co-domain of h... |

3 | Proposal to NIST for a parallelizable message authentication code, 2001, http://www.cs.ucdavis.edu/ ~rogaway
- Rogaway, PMAC
(Show Context)
Citation Context ...ing is necessary for the last block, L⊗x −1 is added to the XOR sum to distinguish nonpadded and padded messages. The final XOR sum is encrypted and returned as tag. PMAC was introduced by Rogaway in =-=[Rog01b]-=-. 3.8 Evaluating the modes for Hard Disk Encryption Until now, the presentation of the cipher modes has been rather general. Hard disk encryption happens in a setting different than communication encr... |

3 | Encrypted Watermarks and Linux Laptop Security
- Saarinen
- 2004
(Show Context)
Citation Context ...be done in a single pass, and is much more feasible than finding two identical blocks, that are scattered on the disk as assumed in Section 4.2. A complete description of watermarking can be found in =-=[Saa04]-=-. This attack has been demonstrated to work in a real implementation. The attack can be defeated by using ESSIV or by totally diverting from CBC. 4.4 Data modification leak CBC encryption is recursive... |

2 | TMAC: Two-Key CBC MAC, Cryptology ePrint Archive - Kurosawa, Iwata - 2003 |

2 |
Refining the Estimated Entropy of English by Shannon Game Simulation. http://cs.fit.edu/˜mmahoney/dissertation/entropy1.html
- Mahoney
- 1999
(Show Context)
Citation Context ...e feasibility of dictionary or low entropy attacks becomes smaller everyday. 2A-Z, a-z, 0-9, ’/’, ’.’ 3Q13 1 64 = 278 4The entropy per character is less than 1.2 bits according to Shanon’s experiment =-=[Mah00]-=- 5See the NIST report on picture passwords [NIS03c]sCHAPTER 5. PASSWORD MANAGEMENT 79 5.3.2 PBKDF2 There is no deterministic algorithm that can magically sprinkle entropy on top of a short passphrase.... |

2 |
Arbitrary block length (ABL) mode: security without data expansion. Submission to
- McGrew, Viega
(Show Context)
Citation Context ... ABL4, because this property is vital for hard disk encryption. We will also stick to the one-key description given in the SISWG draft [MV04b], instead of the multi-key variant given in the ABL paper =-=[MV04a]-=-. Figure 3.11 depicts ABL4. ABL4 splits the message into two halves, A and B, where A is the first 128-bit block of the plaintext and B is the rest. fi, gi are pseudo-random functions that need not be... |

1 | The On-Line Encyclopedia of Integer Sequences - Research |

1 |
The HMAC papers
- Bellare, Canetti, et al.
- 1996
(Show Context)
Citation Context ...s see [Use01]. In addition, PBKDF2 can generate an output of arbitrary length k. The following function f builds on the iteration of a pseudo-random function, usually a hash function in an HMAC setup =-=[BCK97]-=-. It yields the i th block 11 derived from the password p, the salt s, and the iteration depth c. f(p, c, s, i) = h 1 (s || i) ⊕ h 2 (s || i) ⊕ · · · ⊕ h c (s || i) where h j (a) = PRF(P, h j−1 (a)) a... |

1 |
Encryption Of Stored Data In Networks: Analysis of a tweaked block cipher
- Blake, Guyot, et al.
(Show Context)
Citation Context ...o be ɛ-almost 2-xor-universal, short ɛ-AXU2. The formal definition of this property is ∀x, y, z : P rh[h(x) ⊕ h(y) = z] < ɛ. A proof that Galois Field multiplications belong to this class is given in =-=[BGKM03]-=-.sCHAPTER 3. CIPHER MODES 47 K2 n Pn EK1 Cn Figure 3.8: LRW-AES Mode LRW-AES ties a ciphertext to a disk location by pre- and post-processing the cipher block with the result of Galois Field multiplic... |

1 |
Annex C: Approved Random Number Generators for FIPS PUB
- Campbell, Easter
- 2005
(Show Context)
Citation Context ... be reused. IV or initialisation vector general term used for all of the above. NIST [NIS03b] recommends two methods to generate initialisation vectors for CBC and CFB, either by a FIPS-approved PRNG =-=[CE05]-=-, or by calling Ek(ctr), where ctr is a counter. For OFB, the IV may be predictable (contrary to the other modes above) but has also to be unique. So for OFB, an unencrypted counter is sufficient. For... |

1 |
Collision attacks on
- Ferguson
(Show Context)
Citation Context ...ext, the term “property” is a misnomer, as the essence of the expression “property” is the constraint of the rights of third parties. 14 Ferguson describe this attitude briefly in the introduction to =-=[Fer02]-=-.sCHAPTER 3. CIPHER MODES 36 patented two-pass design makes sense, because the additional cost of an AES engine in silicon is likely to be smaller than the licensing fees. 3.4 NIST: Authenticated Encr... |