[xmlsec] Initialize IV for AES-CBC mode
aleksey at aleksey.com
Fri Jul 16 16:57:53 PDT 2004
No, it does not. The purpose of IV vector is to provide "randomness"
for block cipher encryption. New IV should be generated for *every*
encryption operation. DES has a well known attack when >1 message is
encrypted with same IV. AFAIK, it is not the case with AES but by
nature of block ciphers, using same IV vector weaknesses encryption.
Going back to XML Encryption. You should not worry about IVs. The IV
is automatically generated by xmlsec on encryptor side, sent along
with the message (as described in XML Encryption spec) and then
automatically extracted from the message by xmlsec on decryptor side.
The application only needs to exchange AES keys, there are no need to
exchange IVs. Not that sending IV with the message is a part of
XML Encryption spec. Thus not only xmlsec but any other xml encryption
toolkit should be able to extract IV from the message.
IMHO, "security thru obscurity" is not the best way of developing
security applications. And I am not sure why you think that disclosing
the protocol to me is better than doing it to the list :)
Sood, Sanjeev wrote:
> I apologize for writing to you in private. I don’t want to disclose our
> application protocol in the message list.
> < The protocol description is skipped >
More information about the xmlsec