Re: A patch to loop.c for better cryption support

From: David Wagner (
Date: Sat Oct 14 2000 - 12:17:18 EST

Marc Mutz wrote:
>> There are some who believe that "not unique" IVs (across multiple
>> filesystems) facilitates some methods of cryptanalysis.
>Do you have a paper reference?

There's no paper, because it's too trivial to appear in a paper.
But you can find this weakness described in any good crypto textbook.
See, e.g., Bruce Schneier's _Applied Cryptography_; the section on
CBC mode says that IV's must not repeat. (However, it does get one
thing wrong: it claims that it's ok to use a serial number for your
IV. This is not correct, and I can give a reference for this latter,
subtler point, if you like.)

>As CTR mode _requires_ unique IVs (CBC does not),

Sorry, that turns out not to be the case. Both CBC and CTR mode
require unique IV's (for security).

>the upper half of the
>IV could be initialized from the key

It's a bad idea to include key material in your IV. (Kerberos did
it, and there were some attacks as a result.) I recommend against it.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:27 EST