6

I have three questions related to the use of IV within CBC mode of operation:

  1. Why, exactly, is it so bad to have a fixed (or predictable) IV in CBC mode? An example would be great!

  2. Given 1., why is a random IV better? And if the IV is "random", how are Alice and Bob boh supposed to know it? Isn't the IV part of the key in that case?

  3. Why not only use the IV once (as in, keep on the CBC process forever and ever, without ever "starting again with a new IV")?

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
Joe
  • 121
  • 1
  • 2
  • 4

1 Answers1

4

For question (1):

This page gives some hints on IVs and CBC: https://defuse.ca/cbcmodeiv.htm

I copy-paste the part about IVs "predictability"

Chosen-Plaintext Attacks

Randomness is not enough, though. IVs have to be unpredictable, too[2].

Suppose there is a CBC-mode encryption system that selects a random IV, publishes it, asks the user for a one-block plaintext to encrypt, encrypts it with that IV, then gives the ciphertext to the user. Suppose Alice uses the system to encrypt two distinct messages A, and B, to get ciphertexts C and D. Alice gives Mallory the plaintexts and the ciphertexts and offers Mallory \$1000 if he can tell her which of the two ciphertexts is the encryption of plaintext A. If he can't, he has to give Alice \$1000.

If Mallory made a random guess, he would be right with 50% probability, because either C corresponds to A, or D corresponds to A. If the system is secure, Mallory shouldn't be able to do any better than this.

Mallory doesn't have to guess, though, because he can use a chosen-plaintext attack on the CBC-mode encryption system to figure out if C corresponds to A, or D corresponds to A. Mallory knows that the IV Alice used to encrypt A was IVA, and he knows that the input to the block cipher was A XOR IVA. Mallory just needs to know whether the block cipher encryption of A XOR IVA is C or D. Mallory asks the encryption system for the next IV, IVN, and sends it the plaintext A XOR IVA XOR IVN to encrypt. The system follows CBC mode, XORing Mallory's plaintext with IVN and passing the result to the block cipher. IVN XOR IVN is 0, so the system passes A XOR IVA to the block cipher, and gives Mallory the ciphertext. What Mallory gets back is either C or D, whichever one corresponds to plaintext A. In this case, Mallory gets back C, tells Alice that C corresponds to A, and wins $1000 with 100% probability.

Mallory would not have been able to do this if he could not predict the IV, since the plaintext he sends to the system depends on the next IV.

For (2):

Although the IV must be unpredictable (for each key), it doesn't need to be kept safe once the ciphertext was generated. Generally it is send (prefixed) to the ciphertext. It's certainly not part of the key.

For (3):

If there are separate encryptions, then see 1. If there is just one long stream then you only need one IV.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
ddddavidee
  • 3,364
  • 2
  • 24
  • 34