Can anyone give me a hint why “Being able to predict the IV breaks CBC security, and that led to the BEAST attack.” is a problem? IIUC, IVs are not meant to be secret - with explicit IVs a MITM would know the IV as soon as the packet is sent anyway.
So how does having advance notice of what the IV for the next record will be matter? I imagine it’s to do with injecting a packet which makes use of that IV, but I don’t see how that is useful without also knowing the key - which a MITM wouldn’t?
(I’ve tried a few BEAST writeups, but they focus on how hard the attack is to execute and I’ve not yet seen this explained).
Can anyone give me a hint why “Being able to predict the IV breaks CBC security, and that led to the BEAST attack.” is a problem? IIUC, IVs are not meant to be secret - with explicit IVs a MITM would know the IV as soon as the packet is sent anyway.
So how does having advance notice of what the IV for the next record will be matter? I imagine it’s to do with injecting a packet which makes use of that IV, but I don’t see how that is useful without also knowing the key - which a MITM wouldn’t?
(I’ve tried a few BEAST writeups, but they focus on how hard the attack is to execute and I’ve not yet seen this explained).
edit: OK, this is a good writeup: https://blog.cryptographyengineering.com/2011/09/21/brief-diversion-beast-attack-on-tlsssl/
http://crypto.stackexchange.com/questions/3883/why-is-cbc-with-predictable-iv-considered-insecure-against-chosen-plaintext-atta
http://crypto.stackexchange.com/questions/1078/how-can-cipher-block-chaining-cbc-in-ssl-be-attacked/1082#1082
Thanks, that helps a lot.