currently I audit some code I've written in the past to use KeePass 1.x databases. I stumbled over the following question:
The database itself is decrypted with AES-CBC and inside the file header the IV is stored in plain text. Is this a security hole? Following this article it's not really one as the IV is only needed for the first block but following this it is as a watermark attack is possible. Could someone explain this please in more detail?
Thanks a lot.
As hunter said in his comment, IVs are not required to be secret. Recall that the purpose of an IV is to make an otherwise deterministic construction instead be non-deterministic; if this were not the case, then these constructions would no longer have indistinguishable encryptions under chosen-plaintext attacks, and that would be a real shame.
Thus, there is no real need to keep the IV secret. If revealing the IV in AES-CBC somehow weakened the scheme, then there would be something very wrong with AES, and as far as anyone in the past 15 years can tell, there isn't much wrong with it. Think about it: what role does the IV have? Well: it is XOR'd with the first block of the plaintext before encryption. There's not much that can go wrong.
Of course, it's not all fun and games. For CBC mode encryption, your IV does need to be unpredictable and never reused. Generally, just picking a good (pseudo)random number does the trick there, but the requirement's there all the same.
Note an exception: if you are using CBC-MAC, your IV needs to be some fixed constant, usually zero, to prevent a bit of trickery on the part of an adversary. This doesn't really apply to your question directly, but I wanted to mention it just in case someone stumbled across this answer and thought it applied to CBC-MAC.
