Kevin L. Prigge writes:
I'm looking for pointers, or perhaps an explanation of the statement I found in Applied Cryptography (section 9.6) where it implies that if the IV is not unique in CFB mode, the cryptanalyst can recover the plaintext.
The reason that this interests me is that I have a file, encrypted with DES in CFB mode. I believe I know the first 8 bytes of plaintext and I also know the IV used.
I don't believe you have much cause for hope here. The IV usually accompanies the ciphertext in the clear. Knowing the first 8 bytes of plaintext gives you precious little additional information in CFB mode, for the purposes of decryption. (It looks like you might be able to reconstruct the ciphertext of the encrypted IV, giving you a single plaintext/ciphertext pair, but that's about it....) Generally it's advisable to use a different IV for each encryption to avoid correlations between the ciphertexts for plaintexts that have the same prefix. If you always used the same IV, then two messages that start with the same text would encrypt to the same initial piece of ciphertext. (This is not the only reason, but I think it's the main one.) -Futplex <futplex@pseudonym.com>