[PYTHON-CRYPTO] things missing from PEP 272
Paul Rubin
phr-pycrypt at nightsong.com
Tue Mar 19 10:00:26 CET 2002
The only solutions that I can think of are either to use keys that are
guaranteed to be no more persistent than the IV, or to delay sending
encrypted messages until you get a positive "I'm now durable" signal
(yeah right) from the counter state's persistent store, or better,
generate a new random IV on startup. (You can then increment it for
each successive message or generate a new random one for each
successive message.)
Anyway, that's why I think the IV should be a string not an integer.
Normally you use CTR mode by choosing a random key and initializing
the counter value to 0. For the next message, you use a different
random key and start counting at 0 again. CTR mode is really a stream
cipher and you should never re-use a key.
Holding the key fixed and choosing the IV randomly per message would
lead to likely collisions after only ~2**32 messages (for a 64 bit
block cipher) regardless of the key length--fewer messages than that,
if they contained multiple blocks.
Perhaps the confusion here is calling the counter value an IV when
it's not a random IV in the way that CBC IV's usually are. Maybe it
should be called something else. I still think it should be an integer.
How much flexibility exists in revising/rewriting the PEP 272 anyway?
More information about the python-crypto
mailing list