Is there any security advantage to using a pre-determined IV in CBC mode over a null IV? I'm implementing a license key system similar to this article on CodeProject, but I'm confused by the authors use of a pre-determined IV embedded in the client code alongside the key. Presumably a properly randomized IV wasn't used because the resulting license key would be too long, but wouldn't a null IV be just as (in)secure?
Asked
Active
Viewed 2,279 times
1 Answers
2
There's no practical difference between zero IV and any other constant IV here.
With some older ciphers that have a small enough keyspace (or weaknesses that allow reducing it) you could have a rainbow table for the encryption of the zero vector which might make zero IV a weaker choice in some cases, but that would be impossible for AES with its 128-256 bit keys.
Note that when a key is only used to encrypt a single plaintext, a constant IV is secure.
