dontspam-tzeruch(_at_)ceddec(_dot_)com says:
To add security you need an offset in a generated cryptostream. Which
(the offset) necessarily should go in the clear.
The problem is there is no other way to determine if a key is correct than
to match the final pairs of bytes in the prefix. It adds no security, but
without any means of checksumming the symmetrically encrypted ESKs, you
can't tell which of the passphrases actually match. I suggested adding a
checksum to the SKESK, but that was shot down.
Hmm... In block ciphers that random prefix does add a little bit of
security and does make a non-zero IV unnecessary. In stream ciphers
prefix does nothing and an IV (or a "stream offset") is a-must.
None of these is really good for checksumming.
While the existing solution that uses block cipher(s) copes with the
issue well, stream ciphers throw a monkey wrench into the gears. Yes
it is possible to have both random prefix and random offset, but it
ain't look nice.
I'm for adding a checksum. Would be more reliable too. [Possibly it's
too late for that... Oh well...]
So you require a checksum like mechanism in the cryptostream.
Yup.
The simplest is to do the same type that the existing CFB system uses.
Probably. But is it the best...?
--
Regards,
Uri uri(_at_)watson(_dot_)ibm(_dot_)com
-=-=-=-=-=-=-
<Disclaimer>