|
|
On Tue, Apr 02, 2002 at 02:05:35PM -0700, James Yonan wrote:
> * If you try to use a CFB or OFB mode cipher, OpenVPN fails to warn you that
> you also need to use the --rand-iv option.
>
> * The --rand-iv option currently does not guarantee that each IV is unique
> for a given key. Uniqueness of IV is a requirement for for CFB and OFB mode
> ciphers. OpenVPN normally uses IVs equal in size to the cipher block size
It is also required for CBC mode.
> which is usually 64 bits. There is a 50% probability that if you forward
> 2^32 packets, there will be two packets that have the same IV. The next
> release of OpenVPN will ensure that each IV is unique when used with a CFB
> or OFB mode cipher.
Ah, so actually the CFB and OFB modes do use an IV, but it's just 8 bits
big? And by virtue of the birthday paradox, that would mean there's 50%
change if you forward more than 16 packets.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@xxxxxxxxxxxxxxxxxxx>
Attachment:
pgpvrNgRJPDbN.pgp
Description: PGP signature
|