Werner Koch, <wk(_at_)isil(_dot_)d(_dot_)shuttle(_dot_)de>, writes:
Uri Blumenthal <uri(_at_)watson(_dot_)ibm(_dot_)com> writes:
IV length normally is equal to the block size. I see no reason to
divert from this.
Actually it is not the IV (which is always zero) but the random bytes
prepended to the plaintext. However I think you are right and we
should agree to use an IV of the blocksize instead of 8. The problem
with this is that an application needs to know the blocksize of all
possible algorithms to parse the packet - maybe it is better to change
it only if we specify a new version number of the packet, Hmmm...
I believe Uri was referring to the passphrase-protected secret key
data, which does use an IV in the conventional sense.
As far as the need to know the block size, this would only be a problem
if you faced an unknown cipher ID. But in that case you can't decrypt
the rest of the packet anyway, so there is no need to parse it. You do
have information about the overall packet size from the packet headers,
so you can just skip past the encrypted data.
I just spoke on the phone with Phil Zimmermann, who suggested a different
approach for this problem. I will post a summary later this morning.