[cryptography] "Combined" cipher modes
jkatz at cs.umd.edu
Mon Feb 20 07:12:58 EST 2012
On Mon, 20 Feb 2012, Harald Hanche-Olsen wrote:
> ["Kevin W. Wall" <kevin.w.wall at gmail.com> (2012-02-20 07:11:52 UTC)]
>> So my first question: Are there ANY "combined" cipher modes
>> for block ciphers that do not cause the ciphers to act as a key
>> stream? (That seems to be cause most of the ones I found build
>> the confidentiality piece around CTR mode.) If "yes", please name
>> a few (especially those with no patent restrictions).
You can always construct a "combined" mode (also caled an "authenticated
encryption scheme") by combining a secure encryption scheme with a message
authentication code (MAC) -- applying the MAC to the ciphertext, using
independent keys. The NIST modes and others you have seen are slightly
more efficient, however.
>> So my second question is, if all the "combined" cipher modes all
>> cause a cipher to act as if it is in a streaming mode, is it okay
>> to just choose a completely RANDOM IV for each encryption?
> I'll bite on this one, leaving the harder part of your question to the
> real experts. Yes, that should be okay, PROVIDED you have access to a
> good source of entropy (aka randomness). See the long, long thread on
> duplicate primes in RSA moduli to get a notion of how horribly wrong
> things can go if you don't.
What he said. Note also that the potential problems with IV reuse, etc.,
don't go away by choosing a non-streaming mode, anyway. But modes are
designed to be secure assuming the IVs are randmly chosen.
More information about the cryptography