Losing the Initialization Vector in Cipher Block Chaining Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Need help with decrypting the “client key exchange” captured in WiresharkIs having a unique key to encrypt data not sufficientWhy does IV not need to be secret in AES CBC encryption?How to decrypt Vigenère ciphered text?Improved Caesar cipher – secured?Is it secured to store the encrypted key in the database (encrypted by other cipher)?How to decrypt a text with substitution cipher?What are the 'P' values in some cipher string?choosing a cipher suite for sending a simple email on embedded systemsHow to disable obsolete/insecure TLS_RSA ciphers to harden Chrome?
How to politely respond to generic emails requesting a PhD/job in my lab? Without wasting too much time
What to do with post with dry rot?
Using "nakedly" instead of "with nothing on"
Limit for e and 1/e
Working around an AWS network ACL rule limit
Aligning matrix of nodes with grid
How is simplicity better than precision and clarity in prose?
Can't figure this one out.. What is the missing box?
Are my PIs rude or am I just being too sensitive?
Statistical model of ligand substitution
What's the difference between (size_t)-1 and ~0?
What is the electric potential inside a point charge?
Interesting examples of non-locally compact topological groups
How does modal jazz use chord progressions?
Replacing HDD with SSD; what about non-APFS/APFS?
What was Bilhah and Zilpah's ancestry?
Can the prologue be the backstory of your main character?
When is phishing education going too far?
Writing Thesis: Copying from published papers
If I can make up priors, why can't I make up posteriors?
How to market an anarchic city as a tourism spot to people living in civilized areas?
Classification of bundles, Postnikov towers, obstruction theory, local coefficients
3 doors, three guards, one stone
What did Darwin mean by 'squib' here?
Losing the Initialization Vector in Cipher Block Chaining
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?Need help with decrypting the “client key exchange” captured in WiresharkIs having a unique key to encrypt data not sufficientWhy does IV not need to be secret in AES CBC encryption?How to decrypt Vigenère ciphered text?Improved Caesar cipher – secured?Is it secured to store the encrypted key in the database (encrypted by other cipher)?How to decrypt a text with substitution cipher?What are the 'P' values in some cipher string?choosing a cipher suite for sending a simple email on embedded systemsHow to disable obsolete/insecure TLS_RSA ciphers to harden Chrome?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
decryption ciphers
decryption ciphers
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
Johnny
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 3 hours ago
Johnny
701116
edited 3 hours ago
Johnny
701116
edited 3 hours ago
Johnny
701116
701116
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
asked 6 hours ago
Ahmed IraqiAhmed Iraqi
61
61
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Ahmed Iraqi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 5 hours ago
JohnnyJohnny
701116
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 14 mins ago
Z.T.Z.T.
1,948816
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 9 mins ago
schroeder♦
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 5 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 5 hours ago
JohnnyJohnny
701116
add a comment |
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 5 hours ago
JohnnyJohnny
701116
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
answered 5 hours ago
JohnnyJohnny
701116
answered 5 hours ago
JohnnyJohnny
701116
answered 5 hours ago
JohnnyJohnny
701116
answered 5 hours ago
JohnnyJohnny
701116
701116
add a comment |
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 14 mins ago
Z.T.Z.T.
1,948816
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 14 mins ago
Z.T.Z.T.
1,948816
add a comment |
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 14 mins ago
Z.T.Z.T.
1,948816
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV). Fix that.
You can do CBC + HMAC, encrypt-then-MAC, with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
answered 14 mins ago
Z.T.Z.T.
1,948816
answered 14 mins ago
Z.T.Z.T.
1,948816
answered 14 mins ago
Z.T.Z.T.
1,948816
answered 14 mins ago
Z.T.Z.T.
1,948816
1,948816
add a comment |
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 9 mins ago
schroeder♦
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 9 mins ago
schroeder♦
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
add a comment |
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 9 mins ago
schroeder♦
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
edited 9 mins ago
schroeder♦
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
edited 9 mins ago
schroeder♦
78.9k30175211
edited 9 mins ago
schroeder♦
78.9k30175211
edited 9 mins ago
schroeder♦
78.9k30175211
78.9k30175211
answered 5 hours ago
TheWolfTheWolf
853512
answered 5 hours ago
TheWolfTheWolf
853512
answered 5 hours ago
TheWolfTheWolf
853512
853512
add a comment |
add a comment |
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Ahmed Iraqi is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f207388%2flosing-the-initialization-vector-in-cipher-block-chaining%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
