Join Log in
Score:1
U. Windl avatar Crypto

Role of IV in Perl's Crypt::Rijndael

cn flag
U. Windl

Sorry in advance if I'm asking a stupid question:

I thought the role of "IV" in encryption is to avoid having identical ciphertext for identical plaintext. So one could use some random IV.

Writing some Perl code I'm confused, however. Consider this test code:

use Crypt::Rijndael;
my $cipher = Crypt::Rijndael->new('x' x 16, Crypt::Rijndael::MODE_CBC());
$cipher->set_iv('IV' x 8);
my $data = 'old grey fox 123';
my $c = $cipher->encrypt($data);
$cipher = Crypt::Rijndael->new('x' x 16, Crypt::Rijndael::MODE_CBC());
$cipher->set_iv('IV' x 8);
die "bad" unless ($cipher->decrypt($c) eq $data);

Decryption fails if I don't set the IV before encryption.

That confuses me: I thought I don't need the IV after encryption any more and that the IV should be secret. However when I "comment out" the second set_iv, the program dies with bad.

But when I need it for decryption, should the IV be treated as part of the encryption key? Currently my application only stores the key, not the IV.

Are these facts correct, or did I use the algorithm in a wrong way? My application for encryption is protecting rather short secret information like authentication keys...

102
2 + 1
cbc
et flag
user93353
IV used for encryption is not a secret. And it is needed during decryption. Unless you know the IV used for encryption, Decryption will fail. You need to use different Cipher objects for separate encryptions, so that it's available for decryption.
1
Reply
Score:3
Maarten Bodewes avatar Crypto
in flag
Maarten Bodewes

I thought the role of "IV" in encryption is to avoid having identical ciphertext for identical plaintext. So one could use some random IV.

Well, yes, but in case of CBC it also needs to be fully unpredictable by an adversary.

$cipher->set_iv('IV' x 8);

Absolutely doesn't cut it unless the key is never reused. Usually that means that the IV is created using a cryptographically secure random number generator. There are of course other ways to get an unpredictable IV, such as encryption of a counter with another key, but those are very uncommon.

Decryption fails if I don't set the IV before encryption.

Well yes. Let's take a look at CBC mode encryption (decryption is similar of course, except that the XOR with the IV or previous ciphertext is performed after the block cipher has been applied):

enter image description here

Obviously it always requires an IV. If you set it to a block of all-zero bytes then the XOR with the plaintext block will simply result in the same plaintext block, so that's probably as close as you can get to "no IV". Most modes of operation require an IV or nonce as input.

That confuses me: I thought I don't need the IV after encryption any more and that the IV should be secret.

No, the key is the secret part. Storing the key with the IV makes no sense, as the key / IV combination should be unique. The IV can be send in the plain. Quite often it is prefixed to the ciphertext.

Are these facts correct, or did I use the algorithm in a wrong way? My application for encryption is protecting rather short secret information like authentication keys...

If you do not store or cannot derive the key for the ciphertext then you're doing something wrong, yes. If you're storing keys you would generally use a mode like AES-SIV or key wrapping (or you'd use a key derivation function, a ratchet, etc.).

+ 4
Maarten Bodewes avatar
in flag
Maarten Bodewes
Funny enough I've seen HSM's use CBC mode with an all zero IV to "wrap keys". That's OK for some usage scenarios (random keys that are a multiple of the block size), but remember that e.g. RSA private keys are not fully randomized, so it may leak some information about the key that is wrapped. Fortunately, for RSA, the public modulus usually comes first...
0
Reply
U. Windl avatar
cn flag
U. Windl
Well, the code shown is a test code, so the IV is constant (and very obvious). For the other details: At the moment (development in progress) I have a two stage encryption: An PIN-type password generates a first KEK via KDF, and that first KEK secures the real fully random second KEK that protects the actual secret. My idea was that a brute force on the second KEK is hard to do as the result is all random (so how would you know you succeeded?).
0
Reply
U. Windl avatar
cn flag
U. Windl
Maybe I should explain my confusion: I thought the IV results in an encrypted block at the beginning of the ciphertext, and after decryption the extra "block of random bits" would simply be discarded (as the only purpose was to randomize the ciphertext). So that's why I thought it's not needed for decryption. That is: I thought specifying an IV is equivalent to prepending a random block to the plaintext before encryption.
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
Yes, common mistake. I think that for CBC the encrypted block would act as the actual IV, so it wouldn't be catastrophic. However, for fun, imagine what prefixing a random value to the plaintext does for counter mode :) (you can see [the scheme on the modes of operation page]{https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Counter_(CTR)) on Wikipedia). Usually the IV is considered the nonce & counter together for that mode by he way.
0
Reply
Score:2
SAI Peregrinus avatar Crypto
si flag
SAI Peregrinus

The IV randomizes the ciphertext, and must be unique for each message. For CBC mode, it MUST be unpredictable. It need not be secret, it's usually prepended to the ciphertext. It MUST NOT repeat for a given key, and you MUST use a Message Authentication Code (MAC) over the ciphertext and IV for CBC to be secure against common attacks. The recipient MUST validate the MAC before attempting decryption, and MUST NOT continue to decrypt if the validation fails.

If the IV is predictable or repeated, CBC is insecure against passive attack. If the MAC isn't used, active attacks can break the encryption.

+ 3
U. Windl avatar
cn flag
U. Windl
I also found the graphics in [Wikipdedia: Block cipher mode of operation (Cipher block chaining (CBC))](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) helpful for understanding the role of the IV. Unfortunately the example shown in the Perl manual page `Crypt::Rijndael` SYNOPSIS reuses the `$cipher` object, so it's not obvious that `set_iv` has to be used for decrypting, too.
0
Reply
U. Windl avatar
cn flag
U. Windl
I think you could improve your answer by explaining *why* (i.e.: "*what (can happen) if (the criteria is) not (fulfilled)*") each criteria for the IV is important (or even required). Also explain why the MAC is required. Finally I wonder: *Is it the same to use an "IV=iv" and using no IV, but prepend "iv" to the data instead?*
0
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
You've forgotten the unpredictable part for CBC mode, SAI. Might be less important for this use case, but still...
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.