Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Q&A

Welcome to Software Development on Codidact!

Will you help us build our independent community of developers helping developers? We're small and trying to grow. We welcome questions about all aspects of software development, from design to code to QA and more. Got questions? Got answers? Got code you'd like someone to review? Please join us.

Post History

66%
+2 −0
Q&A Is this AES/CBC scheme, where the IV does not need to be known during decryption, insecure or does it have any other disadvantages?

Usually a random IV is used for encryption with AES in CBC mode, so that key/IV pairs are not reused, which would be a vulnerability. During decryption, the IV of the encryption is required. If de...

1 answer  ·  posted 4mo ago by Holden‭  ·  last activity 4mo ago by Peter Taylor‭

#1: Initial revision by user avatar Holden‭ · 2024-08-07T11:12:35Z (4 months ago)
Is this AES/CBC scheme, where the IV does not need to be known during decryption, insecure or does it have any other disadvantages? 
Usually a random IV is used for encryption with AES in CBC mode, so that key/IV pairs are not reused, which would be a vulnerability.  
During decryption, the IV of the encryption is required. If decryption is performed with a different IV, this leads to corruption of the first block in CBC mode.  
In order to make the IV available to the decrypting party, it is usually concatenated with the ciphertext (IV | ciphertext). During decryption, the IV and ciphertext can then be determined from this.

In Python and with PyCryptodome, one possible implementation is: 

```python
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

plaintext = b'This is a top secret.'
key = b'01234567890123456789012345678901' # AES test key
cipher = AES.new(key, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
ivCiphertext = cipher.iv + ciphertext # concatenate IV and cipertext
print(ivCiphertext.hex())

iv = ivCiphertext[:16] # strip IV off
ciphertext = ivCiphertext[16:]
cipher = AES.new(key, AES.MODE_CBC, iv)
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
print(plaintext.decode())
```

-----------

Since in the CBC mode only the first block is corrupted when decrypting with a wrong IV, the following scheme would also be possible: The plaintext is preceded by an arbitrary plaintext block, e.g. 16 0x00 values. A random IV is used for encryption. For decryption, an arbitrary IV is used, e.g. 16 0x00 values. The first block of the decrypted plaintext is discarded (this is corrupted due to the wrong IV, but as it does not contain any payload data, this does not matter).

In Python and with PyCryptodome, a possible implementation is the following: 

```python
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad, unpad

plaintext = b'This is a top secret.'
key = b'01234567890123456789012345678901' # AES test key
plaintext = b'\x00'*16 + plaintext # prepend arbitrary block
cipher = AES.new(key, AES.MODE_CBC)
ciphertext = cipher.encrypt(pad(plaintext, AES.block_size))
print(ciphertext.hex())

cipher = AES.new(key, AES.MODE_CBC)
plaintext = unpad(cipher.decrypt(ciphertext), AES.block_size)
plaintext = plaintext[16:] # remove prepended block
print(plaintext.decode())
```

------------

There is practically no difference in the effort required for the two implementations. Neither leads to key/IV reuse. Both must pass data of the same size to the decrypting party. However, the last variant has the advantage (at least in my opinion) that the condition *The IV of the encryption is required for decryption* is eliminated. Nevertheless, the last scheme is practically not used (at least I can only find the first variant on the web). My questions are: Does the second implementation have a disadvantage in terms of security compared to the first? Or is there another reason why the second schema is not used?