hi,

This isn't a communications protocol. We're talking about disk storage. The only circumstances where an attacker could use this as an attack vector would be if the attacker could take multiple snapshots of the disk, possibly replacing blocks at later times.

Peter

Thank you-i get that.The attacker might certainly like to try it ,if it is a banking DatBase. Bill Stewart" <bill.stewart@pobox.com> wrote

However, there's an emerging application for which disk drives are more vulnerable, which is remote storage. Some of the new disk interface standards, like Fibre Channel, and probably some of the flavors of iSCSI, can operate over distances of 20km and longer over fiber, leading to businesses like colocation centers in New Jersey providing big disk drive farms for New York City financial businesses which have their mainframes in Manhattan. For applications like that, it is important to do good IVs, because control of the disk drive doesn't imply control of the machine.

okay-lets look the same in a communication protocol. We have digital cash transactions between Bank A and Bank B. Say I am an employee of Bank A. I don't keep the IV as secret,i just append the IV along with the cipher text which i have chained using a chaining mode and send it to bank B.There is a man in the middle M,who also sniffs out the IV,now he can successfully perform a block replay attack. I can think of one way this can be prevented. It would take us to share a common seed value (a secret)between Bank A and Bank B. 1.Bank A uses a pseudo random number generator like Tauss88 with a period of nearly 2^80 or MT19937 with a period of 2^19937-1 and generates the first IV using the generator. 2.This IV,is used for chaining but the IV itself is not transmitted along with the cipher text to the bank of B. 3.Once the chained cipher text reaches bank of B, they use the common seed to generate the first IV and this IV can be used to obtain the actual cipher text. 4.Continue steps 1 to 4 till the period of the generator.If we use Taus88 we can get nearly 2^80 IV's and if we use MT19937 we can get upto 2^19937-1 IV's. We also dont need to hash the IV's itself though they form a linear recurring sequence, since they are not transmitted from Bank A to Bank B and we derive no information of the IV from any number of blocks of the chained cipher text. In this way the attacker can no longer perform block replay attacks. The funny part is that I have seen some cryptographic utilities simply appened the IV to the chained cipher text and transmit to a receiver. Regards Sarath. __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com