Wikipedia

Initialization vector: Difference between revisions

Browse history interactively
← Previous edit
Content deleted Content added
VisualWikitext
No edit summary
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5
 
(41 intermediate revisions by 32 users not shown)
Line 1:
{{Short description|Input to a cryptographic primitive}}
In [[cryptography]], an '''initialization vector''' ('''IV''') or '''starting variable''' ('''SV''')<ref>ISO/IEC 10116:2006 ''Information technology — Security techniques — Modes of operation for an ''n''-bit block cipher''</ref> is a fixed-size input to a [[cryptographic primitive]] that is typically required to be [[random]] or [[pseudorandom]]. [[Randomization]] is crucial for [[encryption]] schemes to achieve [[semantic security]], a property whereby repeated usage of the scheme under the same [[cryptographic key|key]] does not allow an attacker to infer relationships between segments of the encrypted message. For [[block cipher]]s, the use of an IV is described by the [[Block cipher mode of operation|modes of operation]]. Randomization is also required for other primitives, such as [[universal hash function]]s and [[message authentication code]]s based thereon.
In [[cryptography]], an '''initialization vector''' ('''IV''') or '''starting variable'''<ref>ISO/IEC 10116:2006 ''Information technology — Security techniques — Modes of operation for an ''n''-bit block cipher''</ref> is an input to a [[cryptographic primitive]] being used to provide the initial state. The IV is typically required to be [[random]] or [[pseudorandom]], but sometimes an IV only needs to be unpredictable or unique. [[Randomization]] is crucial for some [[encryption]] schemes to achieve [[semantic security]], a property whereby repeated usage of the scheme under the same [[cryptographic key|key]] does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For [[block cipher]]s, the use of an IV is described by the [[Block cipher mode of operation|modes of operation]].
 
Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a [[cryptographic nonce|nonce]] (''a number used only once''), and the primitives are(e.g. described[[Block_cipher_mode_of_operation#CBC|CBC]]) are asconsidered ''stateful'' asrather opposed tothan ''randomized''. This is because thean IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is the [[counter mode]] of operation, which useshas a [[sequence number]] asfor a nonce.
 
The size of the IV issize dependentdepends on the cryptographic primitive used; for block ciphers, it is generally the cipher's block -size. Ideally, forIn encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate [[for time/memory/data tradeoff attack]]sattacks.<ref>{{cite journal |author = Alex Biryukov |title = Some Thoughts on Time-Memory-Data Tradeoffs |journal = IACR ePrint Archive |year = 2005 |url = http://eprint.iacr.org/2005/207 }}</ref><ref>{{cite journal |author1 = Jin Hong |author2 = Palash Sarkar |title = Rediscovery of Time Memory Tradeoffs |journal = IACR ePrint Archive |year = 2005 |url = http://eprint.iacr.org/2005/090 }}</ref><ref>{{cite journal |author1 = Alex Biryukov |author2 = Sourav Mukhopadhyay |author3 = Palash Sarkar |title = Improved Time-Memory Trade-Offs with Multiple Data |journal = LNCS |issue = 3897 |pages = 110–127 |publisher = Springer |year = 2007 }}</ref><ref name="ECRYPT">{{cite techreport |author1 = Christophe De Cannière |author2 = Joseph Lano |author3 = Bart Preneel |title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm |institution = ECRYPT Stream Cipher Project |number = 40 |year = 2005 |url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy|WEP]] protocol is a notable example, and is prone to [[Related-key attack|related-IV attack]]s.conference
| last1 = Biryukov | first1 = Alex
| last2 = Mukhopadhyay | first2 = Sourav
| last3 = Sarkar | first3 = Palash
| editor1-last = Preneel | editor1-first = Bart
| editor2-last = Tavares | editor2-first = Stafford E.
| contribution = Improved Time-Memory Trade-Offs with Multiple Data
| doi = 10.1007/11693383_8
| pages = 110–127
| publisher = Springer
| series = Lecture Notes in Computer Science
| title = Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers
| volume = 3897
| year = 2005| doi-access = free
| isbn = 978-3-540-33108-7
}}</ref><ref name="ECRYPT">{{cite tech report |author1 = Christophe De Cannière |author2 = Joseph Lano |author3 = Bart Preneel |title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm |institution = ECRYPT Stream Cipher Project |number = 40 |year = 2005 |url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy|WEP]] protocol is a notable example, and is prone to related-IV attacks.
 
==Motivation==
 
[[File:Tux ecbECB.jpgpng|thumb|Insecure encryption of an image as a result of [[electronic codebook]] mode encoding.]]
A [[block cipher]] is one of the most basic [[cryptographic primitive|primitive]]s in cryptography, and frequently used for data [[encryption]]. However, by itself, it can only be used to encode a data block of a predefined size, called the [[block size (cryptography)|block size]]. For example, a single invocation of the [[Advanced Encryption Standard|AES]] algorithm transforms a 128-bit [[plaintext]] block into a [[ciphertext]] block of 128 bits in size. The [[cryptographic key|key]], which is given as one input to the cipher, defines the mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing the encryption key.
 
To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed to [[randomization|randomize]] the input data. In 1980, the [[National Institute of Standards and Technology|NIST]] published a national standard document designated [[Federal Information Processing Standard]] (FIPS) PUB 81, which specified four so-called [[Block cipher mode of operation|block cipher modes of operation]], each describing a different solution for encrypting a set of input blocks. The first mode implements the simple strategy described above, and was specified as the [[electronic codebook]] (ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which is referred to as an ''initialization vector''. For example, the [[cipher-block chaining]] (CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input,. andThis addsunpredictable value is itadded to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes is to provide [[semantic security]]: by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-called [[chosen-plaintext attack]]s.
 
==Properties==
Line 32 ⟶ 48:
 
== WEP IV ==
The [[802.11]] [[encryption]] [[algorithm]] called WEP (short for [[Wired Equivalent Privacy]]) used a short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked.<ref name="Intercepting_Mobile_Comm_Nik_Ian_Dav">{{cite paperweb |authorfirst1=Nikita |last1=Borisov [[|author-link1=Nikita Borisov]], [[|first2=Ian |last2=Goldberg]], [[David|author-link2=Ian A.Goldberg |first3=David |last3=Wagner |author-link3=David A. Wagner]] |title = Intercepting Mobile Communications: The Insecurity of 802.11 |url = http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf |accessdateaccess-date = 2006-09-12 }}</ref> [[Packet injection]] allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP.
 
== SSL 2.0 IV ==
 
In [[Block cipher mode of operation#Cipher_block_chaining_(CBC)|cipher-block chaining mode]] (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the [[Block cipher mode of operation#OFB|output feedback mode]] (OFB mode), the IV must be unique.<ref>{{citation |author = Morris Dworkin |title = NIST Recommendation for Block Cipher Modes of Operation; Chapters 6.2 and 6.4 |date = 2001 |url = https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf }}</ref> In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the [[Transport Layer Security#BEAST attack|BEAST attack]].<ref>{{citation |author = B. Moeller |title = Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures |date = May 20, 2004 |url = http://www.openssl.org/~bodo/tls-cbc.txt |access-date = September 1, 2014 |archive-date = June 30, 2012 |archive-url = https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt |url-status = dead }}</ref>
In [[Block cipher mode of operation#Cipher-block chaining (CBC)|cipher-block chaining mode]] (CBC mode), the IV must, in addition to being unique, be unpredictable at encryption time.
In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0).
If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before.
This is known as the TLS CBC IV attack, also called the [[Transport Layer Security#BEAST attack|BEAST attack]].<ref>
{{citation |author = B. Moeller |title = Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures |date = May 20, 2004 |url = http://www.openssl.org/~bodo/tls-cbc.txt }}
</ref>
 
== See also ==
Line 50 ⟶ 61:
* [[Block cipher mode of operation|Block cipher modes of operation]]
* [[CipherSaber]] (RC4 with IV)
 
B07V2HN2FB_31FR_R367A8UK5DBXBN
B07V2HN2FB_32FR_R2KXTHZ9TPM8CB
B07V2HN2FB_33FR_RH9PNSA5CO57H
B07MW2XTVZ_35FR_R1A3NX5B1ERK65
B07MVYX4TJ_36FR_R2HRV6NDNMTKEL
B07MVYX4TJ_37FR_R2DYKVVVU1XXB4
B07SZ7NTS5_38FR_R17E6CWFGEOXR9
B07SZ7NTS5_39FR_RY56PFIX0QSEO
B07SZ7NTS5_40FR_R3BFSD49U8WRMR
B07SZ7NTS5_41FR_R397V5S82ZFNMJ
B07SZ7NTS5_42FR_R1LU6I7BK2SGXC
B07SGQBQ9C_50US_R1G6V6AQLXF9HW
B07SGQBQ9C_51US_R1E0XA2OLASFQK
B07R288P28_52US_RDVCNDTR4OPMA
B081F3J5VL_54US_R189772V2OSFR6
B081F3J5VL_55US_R9G5BIDU75IYW
B07T6ZDRHV_57US_R24MGVQCKWZIEP
B07T6ZDRHV_59US_R1SFC85O4VYVRS
B07T6ZDRHV_61US_R23Z924NUXRQY6
B07T6ZDRHV_62US_R3G27FSQIFHPCF
B07PK19RBL_63US_R3J9NQGMOV1OGD
B07PK19RBL_68US_R2V3K0K6WHID7B
B07PK19RBL_69US_RYQKREVEQ9V32
SOL-BV2S-Yellow_1DE_R2H5HZALE7FKLD
TLDE-MAX1-BV2019_2DE_R2JBJ2NZLCP2QT
B07N1MLMDD_3DE_RYX4VYFI29F3J
B07N1P5P42 _4DE_R33GACYS6WGAIC
B07N1MLMDD_5DE_R23KPASQ6VMSO4
B07N1P5P42_6DE_R3ITH9PKTJZTM1
B07N1MLMDD_7DE_R22BIC3YHRF73V
B07N1MLMDD_8DE_R7HTN983478GJ
B07N1MLMDD_9DE_R6QVSYA9MHGR3
B07N1MLMDD_10DE_R3AYLBDGIQ89P0
B07L57CBSV_11DE_R2G13ZLFVSUSGD
B07WTD5SMR_12DE_RL4NG0509ZDS5
B07RXSSM22_13DE_R1BDM1BWMUJJKA
B07RXT5QH6_14DE_R21QM6MRN1R7PC
B07XK6GKF5_15DE_R296HZ97B4UZOM
B07WTD5SMR_16DE_RQNOHQBZ5SKM4
B07RXT5QH6_17DE_R3F8NW6JYUPKBF
B07RXT5QH6 _18DE_R2K69BFL29521U
B07RXSSM22 _19DE_R19MRGV4EGQ3JG
B07RXSSM22_20DE_R2YCNGRKMTDH7G
B07RXT5QH6_21DE_R39UL10LLFXSYO
B07RXSSM22_22DE_R1G6TFU74LFA44
B07XK6GKF5_23DE_R2PHHPHGTKT6AE
B07RXT5QH6 _24DE_R1PWLMM1F3YHCP
B07N1P5P42_25DE_R3GXL8GXZMDC4B
B07N1MLMDD_26DE_R14NLP9PXDJK9B
B07N1MLMDD_27DE_R46T4YAIUZMF3
B07RXT5QH6 _28DE_R38XZB87GJ56JH
B07L4ZCDCG_43FR_R2AWE53DVTSYDK
B07JW99CTY_44FR_R27R5N9MG61AT9
B07L57GQWW_45FR_R3UZG336YGW420
B07L59HL3L_46FR_R2PC9VULA2ZED0
B07W65TXZC_47FR_R12CH4P6785QI7
B07PK19RBL_70US_R3E6C0NMG51FI3
B07T6ZDRHV_71US_R2GF5WV2XZASO
B07SG51DXM_72UK_R3E5MPLS9HAWNA
B07SG51DXM_73UK_R12W5DO5LMVJHV
B07SG51DXM_74UK_RR82LVE0XI9XG
B07SG51DXM_75UK_R6HG5EDTAK76R
B07T6T1C8Q_76UK_R70NR20DRVDZW
B07SG51DXM_77UK_RWXDPRCDZ9BSC
B07SG51DXM_78UK_R32C7JF5WNHB02
B07SG51DXM_79UK_R3DYG61AHHZZM1
B07T6T1C8Q_80UK_REM8NJYGTOI9Q
B07D5Y6XFB_81UK_R17VA59APLL12P
B07RQWY8XN_82IT_R2KRMVSZEKWXRR
B07RQWY8XN_83IT_RVBHZ6IWLLQ6T
B07RQWY8XN_84IT_R18ACFSP7YI0T1
B07RQWY8XN_85IT_REC1ERLNQYH4U
B07QDB7HB3_86IT_RTPNHHC1A6KUU
B07QDB7HB3_87IT_R1PL1XWPHN4VDT
B07QDB7HB3_88IT_R1L7TPI77Q3YEK
B07QDB7HB3_89IT_R1H8H3IF8VU6WL
B07QFFD739_90IT_RGLPN00FQXG6K
B07QDB7HB3_91IT_R1DDX06PCCLQ3Z
B07QDB7HB3_92IT_R25TZTCC5X679Z
B07QDB7HB3_93IT_RMKS077MUTLLM
B07QDB7HB3_94IT_R1FOZ08X8IRP6C
B07QDB7HB3_95IT_R1C08UER6YAR3F
B07QDB7HB3_96IT_R18SQM90X1CTHQ
B07QDB7HB3_97IT_R2UEDHI5ZT27NY
B07QDB7HB3_98IT_R1RNMALYGUEHFT
B07QDB7HB3_99IT_R2V1W9BKJX2QRJ
B07YY4SG96_100IT_R17ZUDP8JVCSUU
B07VNXWBDB_101IT_R3B263S72SBGOK
 
 
== References ==
Line 145 ⟶ 66:
 
== Further reading ==
* {{cite book |first = B. |last = Schneier |authorlinkauthor-link = Bruce Schneier |title = Applied Cryptography |url = https://archive.org/details/Applied_Cryptography_2nd_ed._B._Schneier |___location = New York |publisher = Wiley |year = 1996 |edition = 2nd |isbn = 978-0-471-12845-8 }}
* {{cite book |firstfirst1 = N. |lastlast1 = Ferguson |first2 = B. |last2 = Schneier |title = Practical Cryptography |___location = New York |publisher = Wiley |year = 2003 |edition = |isbn = 978-0-471-22894-3 }}
 
{{Cryptography navbox | block | stream}}
 
[[Category:Block cipher modes of operation]]
[[Category:Cryptography]]
Retrieved from "https://en.wikipedia.org/wiki/Initialization_vector"