Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

CCCrypt decrypting in AES CBC works even without IV

I have a confusing problem, where decrypting a file which was encrypted using CCCrypt's AES-CBC mode with a randomized, 16byte IV produces the exact same output whether I pass in the same correct IV used for encryption or none at all.

What I expect: using a NULL IV for decrypting should not result in a correct decryption. What I observe: using a NULL IV results in the same result as with the IV used for encryption.

Below for sake of completeness, here's the important code snippets, iv is passed in as 16-byte securely randomized NSData.

What am I not understanding here? Is CCCrypt somehow figuring out the IV from the encrypted data by itself? I couldn't find anything around that in the docs.

- (NSData *)encryptedDataForData:(NSData *)rawData
                         withKey:(NSData *)key
                              iv:(NSData *)iv
                           error:(NSError __autoreleasing**)error
{
    size_t outLength;
    NSMutableData *cipherData = [NSMutableData dataWithLength:rawData.length + kAlgorithmBlockSize];

    CCCryptorStatus result = CCCrypt(kCCEncrypt,
                                     kCCAlgorithmAES128,
                                     kCCOptionPKCS7Padding | kCCModeCBC,
                                     key.bytes,
                                     key.length,
                                     iv.bytes,
                                     rawData.bytes,
                                     rawData.length,
                                     cipherData.mutableBytes,
                                     cipherData.length,
                                     &outLength);
    if (result == kCCSuccess) {
        cipherData.length = outLength;
        return cipherData;
    } else {
        return nil;
    }
}

- (NSData *)decryptedDataForData:(NSData *)encryptedData withKey:(NSData *)key error:(NSError __autoreleasing**)error
{
    size_t outLength;
    NSMutableData *decryptedData = [NSMutableData dataWithLength:encryptedData.length];

    // this line is just to illustrate how setting the exact same iv here - if this one
    // was used for encryption - results in same output as when passing iv = NULL
    NSData *iv = [Cryptor dataForHex:@"724a7fc0 0d8ac9d5 f09ff4c1 64d2d1bb"];

    CCCryptorStatus result = CCCrypt(kCCDecrypt,
                                     kCCAlgorithmAES128,
                                     kCCOptionPKCS7Padding | kCCModeCBC,
                                     key.bytes,
                                     key.length,
                                     iv.bytes, // iv OR NULL --> same result o_O
                                     encryptedData.bytes,
                                     encryptedData.length,
                                     decryptedData.mutableBytes,
                                     decryptedData.length,
                                     &outLength);
    if (result == kCCSuccess) {
        decryptedData.length = outLength;
        return decryptedData;
    } else {
        return nil;
    }
}

EDIT:

To elaborate on this, no matter which IV I use for decryption (tried out a couple of different randomized IV's) I always do get byte for byte the identical results. Even when I decrypt only some partial chunk of the encrypted file somewhere from the middle of the encrypted file.

Is this maybe related to the actual data I am en/decrypting (mp3 files)?

When I just pass some arbitrary chunk of the actual encrypted file to the decryptor, shouldn't it require the block right before that chunk of data (which I do not provide explicitly as the IV) to do the proper decryption? The only explanation I could think of here personally is that CCCrypt just always uses the first 16-bytes as the IV and does not decrypt those but drops them in the output.

EDIT 2:

Output of en/decryption, showing the first two blocks of in and output data, the key and the iv:

# encryption
data <4cd9b050 30c04bf9 2a0cb024 19010a31 400c2261 0069196a d77bcae6 9799ae26>
iv <724a7fc0 0d8ac9d5 f09ff4c1 64d2d1bb>
key <78656a1a 337fddd6 fa52e34d 9156d187>
encrypted <cf85cdbe 10a87309 a6fb4c4e ce640619 8f445b70 3738018a e78291a7 b4ea26ce>

# decryption with correct IV
data <cf85cdbe 10a87309 a6fb4c4e ce640619 8f445b70 3738018a e78291a7 b4ea26ce>
iv <724a7fc0 0d8ac9d5 f09ff4c1 64d2d1bb>
key <78656a1a 337fddd6 fa52e34d 9156d187>
decrypted <4cd9b050 30c04bf9 2a0cb024 19010a31 400c2261 0069196a d77bcae6 9799ae26>

# decryption with zero IV
data <cf85cdbe 10a87309 a6fb4c4e ce640619 8f445b70 3738018a e78291a7 b4ea26ce>
iv <00000000 00000000 00000000 00000000>
key <78656a1a 337fddd6 fa52e34d 9156d187>
decrypted <4cd9b050 30c04bf9 2a0cb024 19010a31 400c2261 0069196a d77bcae6 9799ae26>

# decryption with different IV
data <cf85cdbe 10a87309 a6fb4c4e ce640619 8f445b70 3738018a e78291a7 b4ea26ce>
iv <12345678 9abcdef1 23456789 abcdef12>
key <78656a1a 337fddd6 fa52e34d 9156d187>
decrypted <4cd9b050 30c04bf9 2a0cb024 19010a31 400c2261 0069196a d77bcae6 9799ae26>

EDIT 3:

The code for -dataForHex: is:

+ (NSData *)dataForHex:(NSString *)hex
{
    NSString *hexNoSpaces = [[[hex stringByReplacingOccurrencesOfString:@" " withString:@""]
            stringByReplacingOccurrencesOfString:@"<" withString:@""]
            stringByReplacingOccurrencesOfString:@">" withString:@""];

    NSMutableData *data = [[NSMutableData alloc] init];
    unsigned char whole_byte = 0;
    char byte_chars[3] = {'\0','\0','\0'};
    for (NSUInteger i = 0; i < [hexNoSpaces length] / 2; i++) {
        byte_chars[0] = (unsigned char) [hexNoSpaces characterAtIndex:(NSUInteger) (i * 2)];
        byte_chars[1] = (unsigned char) [hexNoSpaces characterAtIndex:(NSUInteger) (i * 2 + 1)];
        whole_byte = (unsigned char)strtol(byte_chars, NULL, 16);
        [data appendBytes:&whole_byte length:1];
    }
    return data;
}
like image 456
Dennis Avatar asked Nov 19 '14 10:11

Dennis


People also ask

Is IV needed for decryption?

To prevent this, the symmetric encryption algorithms use the IV to initialize the process, ensuring a unique ciphertext message. The message recipient must know both the key and the IV to decrypt the message, but only the key must remain secret.

Does AES CBC need IV?

CBC requires a random IV for each encryption. The IVs are therefore completely uncorrelated to the plaintexts or the keys; so knowledge of the IV reveals no information about the plaintext. Save this answer.

Should IV be same for encryption and decryption?

You need to use the same IV for encryption and decryption.

How do I decrypt AES in CBC?

To decrypt using AES-CBC: Instantiate the CBC block cipher class with the AES implementation class. Initialize it with the key and Initialization Vector (IV) for decryption. Process each block of the ciphertext being decrypted.


1 Answers

The iv is only used for the first block on decryption, further blocks use the cipher text from the previous block so it is somewhat self-synchronizing.

Wikipedia image: http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

From Wikipedia Block cipher mode of operation.

So, picking up decryption in the middle of a CBC encrypted stream on a block boundary works except for the first block.

like image 142
zaph Avatar answered Oct 21 '22 05:10

zaph