3

I'm looking at a datagram-based protocol that encrypts a payload. The payload is encrypted with AES or blowfish in CBC mode, and the result is then authenticated with a HMAC.

To save space, the protocol uses a zero IV, but prepends a special prefix to the data before encryption.

The prefix consists of 12 random bytes, followed by a unique sequence number that isn't reused for the same key.

In summary, the datagram payload basically looks like this:

HMAC(12+ bytes) CBC-ENCRYPT (IV=0, RANDOM(12 bytes) SEQUENCE(4 bytes) REAL_DATA)

My question is, is there an obvious flaw to this construct? As I see it, it basically is like normal CBC, but instead of a fully random IV, it uses ECB-ENCRYPT(random + sequence) as (effective) IV.

Marc Lehmann
  • 31
  • 1
  • forgot to mention: the RANDOM is different with each packet sent, and the starting point for the sequence is random and never sent unencrypted, so the IV is basically a random value that increments predictably. – Marc Lehmann Jul 12 '13 at 04:06
  • I am not sure it is a duplicate - do you mean that the additional encryption step makes it effectively random? – Marc Lehmann Jul 12 '13 at 05:17
  • Well it is mostly random to start with, but, yes, as the key is secret, once the first plaintext block has gone through the block cipher it becomes effectively random to an attacker, and as long as your first plaintext block is unique (which it is thanks to your counter) the "effective IV" will never be repeated, indeed satisfying all of CBC's IV requirements. – Thomas Jul 12 '13 at 05:46

0 Answers0