Losing the Initialization Vector in Cipher Block Chaining Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Need help with decrypting the “client key exchange” captured in WiresharkIs having a unique key to encrypt data not sufficientWhy does IV not need to be secret in AES CBC encryption?How to decrypt Vigenère ciphered text?Improved Caesar cipher – secured?Is it secured to store the encrypted key in the database (encrypted by other cipher)?How to decrypt a text with substitution cipher?What are the 'P' values in some cipher string?choosing a cipher suite for sending a simple email on embedded systemsHow to disable obsolete/insecure TLS_RSA ciphers to harden Chrome?
What was the last x86 CPU that did not have the x87 floating-point unit built in?
How to rotate it perfectly?
Strange behaviour of Check
Autumning in love
Why is "Captain Marvel" translated as male in Portugal?
Can smartphones with the same camera sensor have different image quality?
Complexity of many constant time steps with occasional logarithmic steps
Do working physicists consider Newtonian mechanics to be "falsified"?
Cold is to Refrigerator as warm is to?
How many spell slots should a Fighter 11/Ranger 9 have?
Can the prologue be the backstory of your main character?
Stop battery usage [Ubuntu 18]
Two different pronunciation of "понял"
Interesting examples of non-locally compact topological groups
How to say that you spent the night with someone, you were only sleeping and nothing else?
Determine whether f is a function, an injection, a surjection
Why don't the Weasley twins use magic outside of school if the Trace can only find the location of spells cast?
Can I throw a sword that doesn't have the Thrown property at someone?
Is there a documented rationale why the House Ways and Means chairman can demand tax info?
How to pour concrete for curved walkway to prevent cracking?
I'm thinking of a number
Did the new image of black hole confirm the general theory of relativity?
What items from the Roman-age tech-level could be used to deter all creatures from entering a small area?
Am I ethically obligated to go into work on an off day if the reason is sudden?
Losing the Initialization Vector in Cipher Block Chaining
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?Need help with decrypting the “client key exchange” captured in WiresharkIs having a unique key to encrypt data not sufficientWhy does IV not need to be secret in AES CBC encryption?How to decrypt Vigenère ciphered text?Improved Caesar cipher – secured?Is it secured to store the encrypted key in the database (encrypted by other cipher)?How to decrypt a text with substitution cipher?What are the 'P' values in some cipher string?choosing a cipher suite for sending a simple email on embedded systemsHow to disable obsolete/insecure TLS_RSA ciphers to harden Chrome?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 4 hours ago
Johnny
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 4 hours ago
Johnny
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 4 hours ago
Johnny
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
decryption ciphers
edited 4 hours ago
Johnny
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 4 hours ago
Johnny
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 4 hours ago
Johnny
701116
edited 4 hours ago
Johnny
701116
edited 4 hours ago
Johnny
701116
701116
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
asked 7 hours ago
Ahmed IraqiAhmed Iraqi
61
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 1 hour ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 1 hour ago
schroeder♦
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
answered 6 hours ago
JohnnyJohnny
701116
701116
add a comment |
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 1 hour ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 1 hour ago
Z.T.Z.T.
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 1 hour ago
Z.T.Z.T.
1,948816
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 1 hour ago
Z.T.Z.T.
1,948816
answered 1 hour ago
Z.T.Z.T.
1,948816
answered 1 hour ago
Z.T.Z.T.
1,948816
answered 1 hour ago
Z.T.Z.T.
1,948816
1,948816
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
add a comment |
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...
– Johnny
37 mins ago
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 1 hour ago
schroeder♦
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 1 hour ago
schroeder♦
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 1 hour ago
schroeder♦
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 1 hour ago
schroeder♦
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
edited 1 hour ago
schroeder♦
79k30175212
edited 1 hour ago
schroeder♦
79k30175212
edited 1 hour ago
schroeder♦
79k30175212
79k30175212
answered 6 hours ago
TheWolfTheWolf
853512
answered 6 hours ago
TheWolfTheWolf
853512
answered 6 hours ago
TheWolfTheWolf
853512
853512
add a comment |
add a comment |
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
