Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Comments on Is this AES/CBC scheme, where the IV does not need to be known during decryption, insecure or does it have any other disadvantages?

Parent

Is this AES/CBC scheme, where the IV does not need to be known during decryption, insecure or does it have any other disadvantages?

+2
−0

Usually a random IV is used for encryption with AES in CBC mode, so that key/IV pairs are not reused, which would be a vulnerability.
During decryption, the IV of the encryption is required. If decryption is performed with a different IV, this leads to corruption of the first block in CBC mode.
In order to make the IV available to the decrypting party, it is usually concatenated with the ciphertext (IV | ciphertext). During decryption, the IV and ciphertext can then be determined from this.

In Python and with PyCryptodome, one possible implementation is:

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

plaintext = b'This is a top secret.'
key = b'01234567890123456789012345678901' # AES test key
cipher = AES.new(key, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
ivCiphertext = cipher.iv + ciphertext # concatenate IV and cipertext
print(ivCiphertext.hex())

iv = ivCiphertext[:16] # strip IV off
ciphertext = ivCiphertext[16:]
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
print(plaintext.decode())

Since in the CBC mode only the first block is corrupted when decrypting with a wrong IV, the following scheme would also be possible: The plaintext is preceded by an arbitrary plaintext block, e.g. 16 0x00 values. A random IV is used for encryption. For decryption, an arbitrary IV is used, e.g. 16 0x00 values. The first block of the decrypted plaintext is discarded (this is corrupted due to the wrong IV, but as it does not contain any payload data, this does not matter).

In Python and with PyCryptodome, a possible implementation is the following:

from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

plaintext = b'This is a top secret.'
key = b'01234567890123456789012345678901' # AES test key
plaintext = b'\x00'*16 + plaintext # prepend arbitrary block
cipher = AES.new(key, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
print(ciphertext.hex())

cipher = AES.new(key, AES.MODE_CBC)
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
plaintext = plaintext[16:] # remove prepended block
print(plaintext.decode())

There is practically no difference in the effort required for the two implementations. Neither leads to key/IV reuse. Both must pass data of the same size to the decrypting party. However, the last variant has the advantage (at least in my opinion) that the condition The IV of the encryption is required for decryption is eliminated. Nevertheless, the last scheme is practically not used (at least I can only find the first variant on the web). My questions are: Does the second implementation have a disadvantage in terms of security compared to the first? Or is there another reason why the second schema is not used?

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.
Why should this post be closed?

0 comment threads

Post
+3
−0

However, the last variant has the advantage (at least in my opinion) that the condition The IV of the encryption is required for decryption is eliminated.

It isn't really. It's just generated less efficiently: instead of generating a random IV, the sender has to generate a random IV and do one block's worth of encryption to get the real IV.

History
Why does this post require attention from curators or moderators?
You might want to add some details to your flag.

1 comment thread

I see, the second scheme is more inefficient because one more block has to be encrypted/decrypted. (1 comment)
I see, the second scheme is more inefficient because one more block has to be encrypted/decrypted.
Holden‭ wrote 4 months ago

I see, the second scheme is more inefficient because one more block has to be encrypted/decrypted.