Losing the Initialization Vector in Cipher Block Chaining
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
New contributor
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
New contributor
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
New contributor
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
decryption ciphers
New contributor
New contributor
edited yesterday
Johnny
711116
711116
New contributor
asked yesterday
Ahmed IraqiAhmed Iraqi
82
82
New contributor
New contributor
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited yesterday
schroeder♦
79.2k30176212
79.2k30176212
answered yesterday
TheWolfTheWolf
868512
868512
add a comment |
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered yesterday
JohnnyJohnny
711116
711116
add a comment |
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
edited yesterday
answered yesterday
Z.T.Z.T.
1,948816
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
add a comment |
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
yesterday
add a comment |
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown