Digital networks have been developed to facilitate the transfer of information, including data and programs, among digital computer systems and other digital devices. A variety of types of networks have been developed and implemented, including so-called "wide-area networks" (WANS) and "local area networks" (LANs), which transfer information using diverse information transfer methodologies. Generally, LANs are implemented over relatively small geographical areas, such as within an individual office facility or the like, for transferring information within a particular office, company or similar type of organization. On the other hand, WANs are implemented over relatively large geographical areas, and may be used to transfer information between LANs, between devices that are not connected to LANs, and the like. WANs also include public networks, such as the Internet, which can carry information for a number of companies.
A number of problems have arisen in connection with transfer of information over networks, particularly public networks. One significant problem is privacy, to ensure that, if information to be transferred from a source device to a destination device over the network is intercepted by a third device, the intercepting device cannot determine what the actual information is. Cryptographic techniques are used to address this problem. Generally, in such techniques, the information to be transferred, which is termed "plaintext," is encrypted using one of a plurality of encryption techniques by the source device. After encryption, the source device transfers the encrypted information, which is termed "ciphertext," to the destination device, which performs a decryption operation on the encrypted information to recover the plaintext.
A number of cryptographic techniques have been developed. In one technique, termed an "electronic codebook" mode, the plaintext information to be transferred is divided into a series of blocks, and each block is encrypted independently of the others to generate ciphertext blocks for transfer. Essentially, for each block P.sub.i of plaintext, an encrypted ciphertext block C.sub.i is formed using a encryption algorithm "E" and a particular encryption key "enc.sub.-- key," that is, C.sub.i =E.sub.enc.sbsb.--.sub.key (P.sub.i). When the destination device receives the ciphertext block C.sub.i, it can regenerate the plaintext block P.sub.i using the appropriate decryption algorithm "D" and decryption key "dec.sub.-- key," that is, P=D.sub.dec.sbsb.--.sub.key (C.sub.i). Depending on the particular encryption and decryption algorithms used, the values of the encryption key enc.sub.-- key and decryption key dec.sub.-- key may differ, or they may be the same.
A security problem arises in connection with use of the electronic codebook mode. Generally, for the same encryption algorithm and value of the encryption key enc.sub.-- key, the same block of unencrypted information will always encrypt to the same encrypted information block. In many cases, messages transmitted from a particular source device or to a particular destination have fragments in common, such as headers transferred at the beginning of messages or footers at the end of messages. In addition, some types of messages, such as some types of electronic mail, have regular structures. In such cases, a cryptanalyst that intercepts such messages can mount statistical attacks which can provide information regarding the plaintext of the messages being transferred without knowing the particular encryption algorithm or the encryption key that were used in encrypting the messages.
This problem is addressed by use of a "cipher block chaining" mode. In cipher block chaining, information to be transferred is, like in the electronic codebook mode, encrypted in blocks, but each plaintext information block is, prior to encryption, pre-processed in connection with the ciphertext generated for the previous block. The pre-processed block is then encrypted for transmission. Thus, for each information block P.sub.i to be transferred, an encrypted information block C.sub.i is formed as C.sub.i =E.sub.enc.sbsb.--.sub.key (P.sub.i .sym.C.sub.i-1), in which ".sym." represents a predetermined pre-processing operation. Generally, the selected pre-processing operation ".sym." used in the cipher block chaining mode is the bit-wise exclusive-OR operation. The first information block P.sub.1 to be transferred is processed in connection with a block termed an "initialization vector," or "IV," which is also transferred to or otherwise known by the destination device. When the destination device receives the ciphertext block, it can regenerate the plaintext information block as P.sub.i =C.sub.i-1 .sym.D.sub.enc.sbsb.--.sub.key (C.sub.i), with the initialization vector being used in connection with processing of the first encrypted information block C.sub.1.
Generally, the cipher block chaining mode provides for more security than the electronic codebook mode, since, even if there is a significant degree of repetition among fragments of plaintext messages to be transferred, the pre-processing will generally ensure that the ciphertext itself does not repeat if different initialization vectors are used for the different message packets. Any values can be used as the initialization vector, such as random numbers. If the source device uses random numbers as the initialization vectors, it will need to provide the initialization vector to the destination device, either along with the message or separately (especially a value that must be sent for other purposes, such as a message sequence number), which the destination device can use in generating the unencrypted information block.
However, in some situations there is no room in the message for the initialization vector, or it may otherwise be inconvenient to transfer the initialization vector to the destination device. In such situations it is often desired to use a value as the initialization vector that is either sent as plaintext along with the message, or a value that is otherwise known to or inferrable or derivable by the destination device and which need not be transferred, such as a message sequence number, time stamp, or the like. A problem arises in connection with use of such values as an initialization vector. Often, if values such as packet sequence numbers or time stamps are used as the initialization vector, the values will not change significantly from one message to the next, and so the pre-processed plaintext processed with such initialization vectors also will not change significantly from one message to the next. With some types of encryption algorithms, a cryptanalyst, who intercepts message packets containing ciphertext which was encrypted with such algorithms, can successfully use well-known "differential cryptanalysis" techniques when the information being encrypted (in this case, the pre-processed plaintext) for successive messages differs in only a few bits, to recover information about the information being transferred. Accordingly, it is generally not considered good security practice to use information such as a packet sequence number or time stamp as the initialization vector, even though it is guaranteed to be different in every message.