PHP openssl_decrypt: Partial decryption works even with different IV?

Question

Given the following to-be-encrypted email, and this (weak) encryption key:

$source="[email protected]";
$pass="Somepassword...";

I want to generate a somewhat good encrypted string:

$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$method="AES-128-CBC";

$encrypted=openssl_encrypt($source, $method, $pass, true, $iv);

If I try to decrypt it works fine:

$decrypted=openssl_decrypt ($encrypted, $method, $pass, true, $iv);
echo $decrypted;
// [email protected]

But when I tried to decrypt with a different $iv (!), I expected to get a non-sense result, but instead I got:

$iv2 = "tralala1tralala2";
$decrypted=openssl_decrypt ($encrypted, $method, $pass, true, $iv2);
echo $decrypted;
// m~Œ=¢ì  •wêàdÏŠ[email protected]

So basically the last 26 characters are decrypted even with a different $iv ("[email protected]"). Can someone explain why this happens? (The same 26 chars are decrypted even when I change the $iv again)

I've got this encription method from the best answer here

Answer 1

To understand this, you will need to look into how block cyphers work.

https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

Commonly (and this includes AES/Rijndael), each block is used to influence the decryption of the next block. The IV merely acts to influence the decryption of the first block (where no previous block exists). So yes, a separate IV will - depending on the exact algorithm used - only impact the decryption of the first block of the cypher text. This is what you are seeing.