3

I was reading about Encrypt-then-MAC and everywhere I go it seems people include the IV with the ciphertext generated for each message then MAC that and send all the information concatenated.

Why do I need to send the IV more than once?

user3100783
  • 387
  • 4
  • 13
  • 2
    You don't need to send "the IV" more than once. $:$ On the other hand, you need to send and MAC each IV. $;;;;$ –  Apr 30 '14 at 14:47
  • Ah, that makes sense. Does the IV actually need to change in the lifetime of one session (assuming the session lasts at most an hour)? Well, I guess that's a relative question – user3100783 Apr 30 '14 at 14:48
  • The IV needs to change in the lifetime of one session so that an eavesdropper can't determine whether or not a plaintext was repeated. $;$ –  Apr 30 '14 at 14:51
  • @user3100783: In almost all use-cases, the IV should be changed for each message. Depending on the particular algorithms used the IV might need to be random, or it might just need to be unique – Cryptographeur Apr 30 '14 at 15:17
  • 3
    The IV must be different for each message. If you can use an implicit IV, such as a counter you don't need to send it explicitly. (At least with a mode that only needs unique IVs like CTR. For random IVs as in CBC you need some modifications, but in principle this is still possible) – CodesInChaos Apr 30 '14 at 15:19
  • Related reading: http://crypto.stackexchange.com/questions/2641/why-do-new-versions-of-tls-use-an-explicit-iv-for-cbc-suites – hunter Apr 30 '14 at 15:43
  • Hmm, I assumed that because I was using CBC I only need to include the IV once (for the initial block to be randomized) and subsequent blocks are randomized by xor'ing previous blocks. Does it still hold that I need to use a new IV for each message? I guess if two blocks have identical plaintexts this could have some kind of impact (having trouble wrapping my head around it atm I'll think about it). I'll read that link as well. Thanks all – user3100783 Apr 30 '14 at 16:04
  • 3
    You need a new IV for each message. You can't reuse the last block of the previous message. Doing that caused the BEAST attack against SSL. The assumption behind CBC's chaining is that an attacker can't see part of the ciphertext and then influence later plaintext. – CodesInChaos Apr 30 '14 at 17:17
  • To be clear, CBC does randomize subsequent blocks by XORing previous blocks within a message. A single message consists of one or more blocks, and each message needs its own unique (and random) IV. – Stephen Touset Jun 11 '14 at 21:19

1 Answers1

1

I assume your protocol is message oriented. You needn't repeat the IV, but need to supply a new one for every message.

This can be either:

  1. a random string from a CSPRNG,
  2. a concatenation of a random string (sent once per session, if you're traffic-savvy) and a message counter (can be omitted from the packet, too), or
  3. a member of any other unique sequence of 'reasonably random' block-sized blobs.

For CBC mode, the IVs should be sufficiently random, e.g. output from (2) may be hashed.

NekojiruSou
  • 131
  • 4
  • 1
    Depending on the mode that uses the IV, this may not be great advice. For example, using a counter as an IV (even if some of the counter bits are hidden) might not be a great idea if the initial plaintext blocks of adjacent packets have a good probability in differing only in their LSBits. – poncho Jun 11 '14 at 20:14
  • For CBC, I agree. – NekojiruSou Jun 11 '14 at 20:17
  • 1
    Yes, I meant CBC mode specifically -- somehow that didn't make it into the comment... – poncho Jun 11 '14 at 20:24