Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is using a Non-Random IV with CBC Mode a vulnerability?

I understand the purpose of an IV. Specifically in CBC mode this insures that the first block of of 2 messages encrypted with the same key will never be identical. But why is it a vulnerability if the IV's are sequential? According to CWE-329 NON-Random IV's allow for the possibility of a dictionary attack. I know that in practice protocols like WEP make no effort to hide the IV. If the attacker has the IV and a cipher text message then this opens the door for a dictionary attack against the key. I don't see how a random iv changes this. (I know the attacks against wep are more complex than this.)

What security advantage does a randomized iv have? Is this still a problem with an "Ideal Block Cipher"? (A perfectly secure block cipher with no possible weaknesses.)

like image 849
rook Avatar asked Jun 09 '10 17:06

rook


People also ask

Why is CBC mode insecure?

The reason the vulnerability exists is because block ciphers must have valid padding, and encryption algorithms will handle the padding for developers during encryption. Consequently, during development and testing, valid ciphertexts are used and developers may never even be aware padding exists.

Why should the IV in CBC be protected?

A major advantage of CBC mode is that, while encryption must be performed sequentially, decryption can be parallelized. The first IV is a public value and all other blocks use a ciphertext as an IV, which are public. This can make decryption faster than other block cipher modes of operation.

Are CBC ciphers vulnerable?

3.7) or RC2 (1.2. 840.113549. 3.2) is vulnerable, as well as messages using any other block cipher algorithms in CBC mode. While stream ciphers aren't susceptible to this particular vulnerability, Microsoft recommends always authenticating the data over inspecting the ContentEncryptionAlgorithm value.

Is CBC mode secure?

Although CBC mode is more secure, its encryption is not tolerant of block losses. This is because blocks depend on their previous blocks for encryption. So, if block Bi is lost, the encryption of all subsequent blocks will not be possible.


2 Answers

Predictable IVs can be exploited by chosen plain text.

Pretend that Eve is a DBA at an insurance company. The company collects medical histories from beneficiaries that include a lot of true/false check boxes about medical conditions. This company also happens to its own health insurance provider. Eve realizes that Alice could be blackmailed if she can discover that Alice has a particularly embarrassing medical condition. However, the value in each of these fields is encrypted, so even though Eve is the DBA, she only has access to the cipher text.

In CBC, the IV is XORed (noted by "⊕" below) with the plain text, then run through the block cipher: C1 = Ek(IV ⊕ P1).

Since Eve is a beneficiary of the insurance company, she can choose the plain text for her own medical record, and since she is the DBA, she can examine anyone's cipher text. In addition to using predictable IVs, the sloppy application developer did a poor job of validating the application inputs. If Eve can predict the IVs that will be applied to her (IVeve) and Alice's (IValice) records in advance, she can choose the plain text for her own record like this: Peve = IVeve ⊕ IValice ⊕ "false"

The application encrypts this plain text like this:

Ceve = Ek(IVeve ⊕ Peve) = Ek(IVeve ⊕ (IVeve ⊕ IValice ⊕ "false"))

The IVeve ⊕ IVeve cancels out, which means that Ceve = Ek(IValice ⊕ "false")

Now Eve can compare Ceve and Calice. If they are different, she knows that Alice must have entered "true" for that medical condition.

Making IVs unpredictable thwarts this attack, and an easy way to make them unpredictable is to choose them randomly after the plain text has been supplied.

like image 86
erickson Avatar answered Oct 09 '22 05:10

erickson


i want to explain your question by using WEP which is vulnerable and now other protocols such as WPA2 is used.

the simple rule IEEE says that :

Basic rule is never use a key+IV twice, ever

One of the reason that WEP is compromised is due to the reason of IV generation.

alt text

As seen in the picture, when WEP first appeared the length of the IV was 24 bits (later it is increased 48 bits) if the attacker knows the how the IV are generated or in this situation IVs are small enough for the attacker to exploit the messages.

If anyone knows about the generation of the IV or it overlaps (because IVs are 24 bits it means 2^24 IVs) during the transmission of the packets the attacker who is sniffing the traffic can : if the IVs are sequential it means still there is a possibility that the IVs will be overlap in some time.

let's assume,

passphrase key Kp  initialization vector Ivi  plaintext data D1, D2 (for separateblocks)  Traffic Key:Kti=Kp||Ivi  Ciphertext: E(Kti,Di)=RC4(Kti) xor Di 

and assume that

IV1=IV2  (created sequentially and from 0 to 2^24 again returns back) 

Attacker has,

(RC4(Kt1) xor D1) Xor  (RC4(Kt1) xor D2) = D1 XOR D2 

This can be broken by using Aircrack-NG using network traces. The idea that i showed is the basic one more complex assumption can be made, again never ever use same IV that will overlap.

like image 34
berkay Avatar answered Oct 09 '22 05:10

berkay