On 11/3/06, Simon Slavin wrote:
> > I know it doesn't uses CBC because it's possible to corrupt one byte
> in the middle of an encrypted stream and for the stream after that to
> be correct. I know it doesn't use a random key because the key has
> been found and published.

I'm sorry, but you don't know what you're talking about.

Please understand the difference between a key and an initialization
vector. They are not the same thing at all. The key is a closely
guarded secret piece of data. The IV is just a random number to
initialize a message. You could think of it similarly to the initial
sequence number in a TCP stream - it's not a secret, just a number to
make sure both parties start on the same page.

It is in fact a very important principle of cryptography that if two
messages are to be encrypted with the same key (as is the case here),
then each message absolutely must use a unique IV. Failing to do so
will significantly weaken the secrecy of both messages. For example,
the main flaw that makes WEP encryption so hopelessly weak is the fact
that WEP reuses IVs.

In CBC mode the IV is just the first block of ciphertext (you might
think of it as a 'zeroth' block, since the following ciphertext block
is the one that corresponds to the first plaintext block). There is
no need to discover and disclose an IV - it's just the first block of
any given ciphertext.

Also, consider for a moment how CBC mode works: If you corrupt a
single block in a CBC-mode encrypted message, you affect only two
blocks of the plaintext - the one corresponding to the block you
corrupted (you decrypt incorrect ciphertext, and XOR in the correct
previous block of ciphertext - the result is incorrect), and the
following block (you decrypt correct ciphertext, but then XOR in the
incorrect previous block of ciphertext - the result is incorrect).
Decryption of each plaintext block N depends only on ciphertext blocks
N and N-1. (notice that in CBC mode a function of the IV is to give
plaintext block N=1 a ciphertext block N-1=0)

> You don't have to unsheath the code to detect it. Just look for the
> sequence of bytes it uses. It doesn't matter whether that sequence
> represent machine code or just gibberish. As long as it's the same
> every time you can spot it. How does Apple's use of encrypted
> binaries change this ?

As I hope you will finally have understood, the ciphertext absolutely
is not the same each time.

[ reply ]