Here is a non-technical argument against plaintext IV's:
a. Data encryption (either or both below):
(i) RC4; 40 bit key (which can vary with every message); with
key management as per (b) below or with no key
management.
NOTE: It shall be permissible to pre-fix an initialization vector
to any plain text message that is to be encrypted with RC4.
The initialization vector itself will appear in plain text in the
message itself and will be exclusive or'd [sic] with the RC4 key
prior to RC4 key set up.
(ii) RC2; 40 bit key; with key management as per (b) below or
with no key management
The NSA/SPA agreement, excerpted above, permits expedited export of
crypto gear but requires that the IV be in plain text. Since the
conditions for mass market export are widely believed to mean "NSA can
decrypt the traffic if you follow these conditions", the existence of
a plaintext IV may make a significant difference in cryptanalysis.
Whether or not we understand all the implications of why.
Believable estimates of the cost to build a machine that uses
brute-force to crack DES in a day are now down in the small numbers of
millions of dollars. The cost to build a second one, after designing
the first, would be much smaller. Given these economics, we must
assume that several (perhaps ten) organizations have such machines --
governments and other large criminal organizations. Such a machine
would provide the key, given known or chosen plaintext, and DES
ciphertext. Secrecy of the IV eliminates the most obvious place for
known plaintext (the first 8 bytes).
An acquaintance at a large computer company told me that during their
discussions about how to modify a cryptographic protocol to make it
exportable, NSA said it was sufficient to "put some large constant
fields early in the plaintext -- that's all we really need".
Perhaps this is all disinformation, nefariously orchstrated to
convince us to encrypt our IV's. Suppose we do. What have we lost?
Nothing, as far as I can see. No performance, no space, no time, no
security. If sending the IV encrypted under RSA or DES would
*decrease* the security of the message, then there's something
seriously wrong.
PS: My vote would be for DES EDE3. There is no evidence of security
*loss* for three keys, while we suspect that there is a significant
security gain over two. Compatability with standards for
key-distribution for ATM's is irrelevant. Even if anyone has been
stupid enough to build crypto hardware with three DES engines but only
two keys, 99% of PEM users are going to run software DES, so that's
also irrelevant. If PEM is so wildly successful that this changes,
and DES appears in CPU chips or on every clone PC motherboard, the
hardware will be designed around PEM, not the other way around!
John Gilmore gnu(_at_)toad(_dot_)com --
gnu(_at_)cygnus(_dot_)com -- gnu(_at_)eff(_dot_)org
Creating freedom, rather than longer chains, bigger cages, better meals, . . .