Colin Plumb (
Sun, 21 Jul 96 05:10:45 MDT

I'd like to remind folks that a cenreal tenet in cryptography is that
you don't want to encrypt two messages with the same key *and IV*.
It cauese information leakage. The leakage is low enough that if it
happens by accident, there's no great cause for alarm, but you shouldn't
do it in a regular basis.

And if you use an encrypted device on a machine which someone else
can read the hard drive of, then over time, as you modify the
drive, if the IV you use for encrypting each block depends only
on the block number, you are creating messages (each subsequent
version of the block) which are encrypted with the same key and IV.
Lots of them.

Now, OFB and counter mode are *particularly* bad, as you can XOR
two versions of a block together and recover the XOR of the
plaintexts. Generally a bad idea. CFB mode has problems,
but even CFB mode reveals the location of an alteration.

The hack used in Peter Gutmann's MS-DOS SFS device driver of
using a checksum of the plaintext (and the block offset, and
some per-volume unique information) is advisable.