Losing the Initialization Vector in Cipher Block Chaining





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















I have written a message and encrypted it using cipher block chaining.



What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?










share|improve this question









New contributor




Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    1















    I have written a message and encrypted it using cipher block chaining.



    What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?










    share|improve this question









    New contributor




    Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.























      1












      1








      1








      I have written a message and encrypted it using cipher block chaining.



      What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?










      share|improve this question









      New contributor




      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.












      I have written a message and encrypted it using cipher block chaining.



      What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?







      decryption ciphers






      share|improve this question









      New contributor




      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited yesterday









      Johnny

      711116




      711116






      New contributor




      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked yesterday









      Ahmed IraqiAhmed Iraqi

      82




      82




      New contributor




      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






















          3 Answers
          3






          active

          oldest

          votes


















          1














          When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.



          Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.






          share|improve this answer

































            3














            In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.



            So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.






            share|improve this answer































              1














              The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.



              Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.



              You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.






              share|improve this answer


























              • This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                – Johnny
                yesterday












              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "162"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });






              Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.










              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              3 Answers
              3






              active

              oldest

              votes








              3 Answers
              3






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              1














              When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.



              Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.






              share|improve this answer






























                1














                When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.



                Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.






                share|improve this answer




























                  1












                  1








                  1







                  When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.



                  Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.






                  share|improve this answer















                  When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.



                  Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited yesterday









                  schroeder

                  79.2k30176212




                  79.2k30176212










                  answered yesterday









                  TheWolfTheWolf

                  868512




                  868512

























                      3














                      In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.



                      So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.






                      share|improve this answer




























                        3














                        In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.



                        So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.






                        share|improve this answer


























                          3












                          3








                          3







                          In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.



                          So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.






                          share|improve this answer













                          In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.



                          So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered yesterday









                          JohnnyJohnny

                          711116




                          711116























                              1














                              The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.



                              Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.



                              You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.






                              share|improve this answer


























                              • This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                                – Johnny
                                yesterday
















                              1














                              The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.



                              Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.



                              You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.






                              share|improve this answer


























                              • This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                                – Johnny
                                yesterday














                              1












                              1








                              1







                              The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.



                              Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.



                              You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.






                              share|improve this answer















                              The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.



                              Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.



                              You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.







                              share|improve this answer














                              share|improve this answer



                              share|improve this answer








                              edited yesterday

























                              answered yesterday









                              Z.T.Z.T.

                              1,948816




                              1,948816













                              • This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                                – Johnny
                                yesterday



















                              • This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                                – Johnny
                                yesterday

















                              This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                              – Johnny
                              yesterday





                              This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...

                              – Johnny
                              yesterday










                              Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.










                              draft saved

                              draft discarded


















                              Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.













                              Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.












                              Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
















                              Thanks for contributing an answer to Information Security Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              數位音樂下載

                              When can things happen in Etherscan, such as the picture below?

                              格利澤436b