Sending IV along with cipher text, safe?

views:

answers:

+1 Q:

Sending IV along with cipher text, safe?

Hi,

There have been many questions with regard to IV generation, encryption and sharing the IV between the sender and receiver, but I want to make an explicit post regarding the best way to send the IV from the sender to the receiver.

From all the posts that I've seen so far, I'm uncertain as to whether it is safe to send the IV in "plaintext" by prepending it to the cipher text. So the first question is, is it safe to do so?

Second, is there are safer way to share an IV between the sender and receiver when communicating by exchanging messages?

Cheers

+1 A:

Yes, it is safe to do in plain text with the caveat that they should not be repeated.

jwsample 2010-08-09 01:46:36

+1 A:

Yes, it is safe. Many protocols such as WEP and WPA will transmit the IV in plain text. This is usually a requirement as it is impossible to decrypt the message without knowing the iv. The most common WEP attack involves capturing thousands of IV's, but this is because RC4 is vulnerable to a Related Key Attack. If you are using a secure symmetric cipher then you do not have to worry.

A known vulnerability that I know of relating to IV's is CWE-329, which requires that the IV be random, and this is why this is an issue. Another potential problem is encrypting 2 messages with the same IV. This is a problem because an attacker maybe able to identify another cipher text message by encrypting many known messages, effectively making guesses as to what a captured cipher text maybe without knowing the key.

Rook 2010-08-09 02:22:49

+2 A:

Yes, it is safe to send the IV in the clear. Here is the 'proof' of why:

Take CBC mode for example:

alt text

You can see that the ciphertext of a block is XORed with the plaintext of the next block. The reason we need an IV is because on the first block, there is no previous ciphertext to use. If there was a security risk with having the IV be secret, then the security risk would be present for every block after, since the ciphertext serves the same role as the IV.

That being said though, you need to make sure you MAC it. Depending on how you do message authentication codes, someone tampering with the IV could tamper with the resulting plaintext on decryption. Encryption alone does not provide integrity of messages.

Also, for IV generation, it depends on your requirements. But most often, your IV needs to be random and non-predictable.

mattjf 2010-08-09 02:28:29

Thanks mattjf. Good explanation. On a related note, what is the relationship between the size of the original plaintext and the resulting ciphertext? I would probably need to know the sizes if I'm going to be extracting the relevant parts back.

Mystic 2010-08-09 04:47:26

Well, unfortunately the answer is, it depends. Depending on which cipher and mode you use, it will vary. CBC is the most popular mode, which requires the IV and requires plaintext be padded up to the block size. So, let's say you want to encrypt 4 bytes with AES CBC. You would need 16 bytes for the IV, and those 4 bytes need to be padded to 16 bytes, for a total of 32 bytes. You can use Ciphertext Stealing to prevent the block expansion, or you can use AES CTR mode. How are you MACing your data? You need to make sure no one can tamper with your encrypted data.

mattjf 2010-08-09 05:37:28

Continued: If you can give the primitives you are constrained to using, we can make a better recommendation. But, truthfully, you shouldn't be designing cryptosystems. Can you use an existing standard or protocol? What exactly are you trying to accomplish?

mattjf 2010-08-09 05:39:23

ansaurus

tags:

views:

answers:

Sending IV along with cipher text, safe?

related questions