From: futplex@pseudonym.com (Futplex)
Date: Tue, 12 Dec 1995 14:06:28 +0800
To: cypherpunks@toad.com (Cypherpunks Mailing List)
Subject: Re: DES Cryptanalysis
In-Reply-To: <30cc40ff3f57002@noc.cis.umn.edu>
Message-ID: <199512112328.SAA06771@thor.cs.umass.edu>
MIME-Version: 1.0
Content-Type: text/plain


Kevin L. Prigge writes:
> I'm looking for pointers, or perhaps an explanation of the statement
> I found in Applied Cryptography (section 9.6) where it implies
> that if the IV is not unique in CFB mode, the cryptanalyst can recover the
> plaintext.
> 
> The reason that this interests me is that I have a file, encrypted
> with DES in CFB mode. I believe I know the first 8 bytes of plaintext
> and I also know the IV used. 

I don't believe you have much cause for hope here. The IV usually accompanies
the ciphertext in the clear. Knowing the first 8 bytes of plaintext gives you
precious little additional information in CFB mode, for the purposes of
decryption. (It looks like you might be able to reconstruct the ciphertext
of the encrypted IV, giving you a single plaintext/ciphertext pair, but that's
about it....)

Generally it's advisable to use a different IV for each encryption to avoid 
correlations between the ciphertexts for plaintexts that have the same 
prefix. If you always used the same IV, then two messages that start with the
same text would encrypt to the same initial piece of ciphertext. (This is not
the only reason, but I think it's the main one.)

-Futplex <futplex@pseudonym.com>