What if in AES-128 CBC, IV is very related to KEY?

Question

while digging into some secured communication protocol, I noticed a usage of AES-128 CBC that raised my attention. In it, the IV is tightly coupled to the Key, being a xor of its values with the byte index:

for(i=0; i<16; i++)
{
  IV[i] = Key[i] ^ i;
}

Could it be an issue if an attacker knows the first blocks of a plaintext?
Does it weaken the implementation of the encryption?

Thank you in advance

At the very least an attacker can detect which messages have common pre-fixes (and how long they are) then (for all messages under one and the same key with one and the same IV). — SEJPM, Mar 06 '17 at 10:13

score 3 · Answer 1 · edited May 23 '17 at 12:41

3

This implementation is horribly broken, since the IV is (most likely) sent in the clear. An eavesdropper who knows the implementation will immediately be able to deduce the key and decrypt all data.

The IV will also be the same for repeated uses of the key. This opens up several weakness. For one, it leaks information on when multiple plaintexts begin with the same data, and for approximately how long. IV reuse is also vulnerable to chosen plaintext attacks. See this answer for more details.

edited May 23 '17 at 12:41

Community

1

answered Mar 06 '17 at 10:13

bkjvbx

1,554
9
16

1

In the implementation I'm looking at, client and server will not exchange the IV, since they are known and static. – Kannibal Mar 06 '17 at 10:19
Ah, okay. In any case, the second paragraph still applies. – bkjvbx Mar 06 '17 at 10:21

score 2 · Accepted Answer · answered Mar 06 '17 at 21:21

Consider the equations for the CBC encryption and decryption, where $P_i$ and $C_i$ are the blocks of a plaintext/ciphertext pair $P_1P_2\ldots$ and $C_1C_2\ldots$:

$$ \begin{align} C_1 &= E_k(IV \oplus P_1) \\ C_2 &= E_k(C_1 \oplus P_2) \\ & \vdots \\ P_1 &= IV \oplus D_k(C_1) \\ P_2 &= C_1 \oplus D_k(C_2) \\ & \vdots \end{align} $$

And add your additional condition, which derives $IV$ from xoring the key with a constant $ivpad$ (known to the attacker):

$$ \begin{align} IV &= k \oplus ivpad \end{align} $$

Substituting for $IV$, we get:

$$ \begin{align} C_1 &= E_k(k \oplus ivpad \oplus P_1) \\ C_2 &= E_k(C_1 \oplus P_2) \\ & \vdots \\ P_1 &= k \oplus ivpad \oplus D_k(C_1) \\ P_2 &= C_1 \oplus D_k(C_2) \\ & \vdots \end{align} $$

Now the equation for $P_1$, solve for $k$:

$$ \begin{align} k &= P_1 \oplus ivpad \oplus D_k(C_1) \\ \end{align} $$

This yields the outline for a possible key-recovery attack. The attacker has to:

Query for the encryption $C_1C_2\ldots$ of some plaintext $P_1P_2\ldots$;
Query for the the raw block cipher decryption $D_k(C_1)$;
Solve the last equation to recover $k$.

And that is a clear weakness of this CBC variant; if the attacker has an encryption oracle for the CBC variant and a decryption oracle for the raw block cipher, they can recover the key trivially. Correct CBC with fresh random IVs is not vulnerable to this. Or even if the IV is reused as long as the IV is unrelated to the key.

score 0 · Answer 3 · 2017-03-06T17:27:33.990

0

This system can be broken trivially. As the IV is public and the algorithm is also public the attached can easily break the system.

Could it be an issue if an attacker knows the first blocks of a plaintext?

That depends on the security of the encryption scheme you are using.

As the plaintext is known to the attacker for the encryption to be secure the scheme should be secure against "Known plaintext attack". A standard block cipher such as AES(as in your case), CLEFIA, 3DES is secure against KPA. (But DES is not)

edited Mar 06 '17 at 17:27

answered Mar 06 '17 at 15:57

2

Please note that in this specific case the IV is not public. – SEJPM Mar 06 '17 at 16:00
As for the scheme, the OP has clearly stated that the AES in CBC mode is used. – SEJPM Mar 06 '17 at 16:01
Oh, in such case the encryption scheme would be secure even if some of the plaintexts are revealed – Mar 06 '17 at 17:26

What if in AES-128 CBC, IV is very related to KEY?

3 Answers3