CBC with a fixed or random IV

Question

I have three questions related to the use of IV within CBC mode of operation:

Why, exactly, is it so bad to have a fixed (or predictable) IV in CBC mode? An example would be great!
Given 1., why is a random IV better? And if the IV is "random", how are Alice and Bob boh supposed to know it? Isn't the IV part of the key in that case?
Why not only use the IV once (as in, keep on the CBC process forever and ever, without ever "starting again with a new IV")?

I see! Thanks! So for 1), if the IV is predictable, why is that bad? Also, added a 3) — Joe, Jan 08 '15 at 14:22
@CodesInChaos: You imply a block size of 128 bits, which is not always the case. — Nova, Jan 08 '15 at 19:37
@Joe: 2) The random IV gets send with the ciphertext, in the clear. 3) Well, you would have to always send the last ciphertext block with a new message. Also this allows some attacks which would show him/her the same things mentioned in 1). — Nova, Jan 08 '15 at 19:39
Predictable IV attack covered here: https://crypto.stackexchange.com/questions/3883/why-is-cbc-with-predictable-iv-considered-insecure-against-chosen-plaintext-atta — Meir Maor, Mar 30 '18 at 14:11

score 4 · Answer 1 · edited Jan 10 '15 at 02:22

For question (1):

This page gives some hints on IVs and CBC: https://defuse.ca/cbcmodeiv.htm

I copy-paste the part about IVs "predictability"

Chosen-Plaintext Attacks

Randomness is not enough, though. IVs have to be unpredictable, too[2].

Suppose there is a CBC-mode encryption system that selects a random IV, publishes it, asks the user for a one-block plaintext to encrypt, encrypts it with that IV, then gives the ciphertext to the user. Suppose Alice uses the system to encrypt two distinct messages A, and B, to get ciphertexts C and D. Alice gives Mallory the plaintexts and the ciphertexts and offers Mallory \$1000 if he can tell her which of the two ciphertexts is the encryption of plaintext A. If he can't, he has to give Alice \$1000.

If Mallory made a random guess, he would be right with 50% probability, because either C corresponds to A, or D corresponds to A. If the system is secure, Mallory shouldn't be able to do any better than this.

Mallory doesn't have to guess, though, because he can use a chosen-plaintext attack on the CBC-mode encryption system to figure out if C corresponds to A, or D corresponds to A. Mallory knows that the IV Alice used to encrypt A was IVA, and he knows that the input to the block cipher was A XOR IVA. Mallory just needs to know whether the block cipher encryption of A XOR IVA is C or D. Mallory asks the encryption system for the next IV, IVN, and sends it the plaintext A XOR IVA XOR IVN to encrypt. The system follows CBC mode, XORing Mallory's plaintext with IVN and passing the result to the block cipher. IVN XOR IVN is 0, so the system passes A XOR IVA to the block cipher, and gives Mallory the ciphertext. What Mallory gets back is either C or D, whichever one corresponds to plaintext A. In this case, Mallory gets back C, tells Alice that C corresponds to A, and wins $1000 with 100% probability.

Mallory would not have been able to do this if he could not predict the IV, since the plaintext he sends to the system depends on the next IV.

For (2):

Although the IV must be unpredictable (for each key), it doesn't need to be kept safe once the ciphertext was generated. Generally it is send (prefixed) to the ciphertext. It's certainly not part of the key.

For (3):

If there are separate encryptions, then see 1. If there is just one long stream then you only need one IV.

CBC with a fixed or random IV

1 Answers1