Initialization vector: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 03:06, 26 December 2020 edit Monkbot (talk \| contribs) Bots 3,695,952 edits m Task 18 (cosmetic): eval 9 templates: hyphenate params (1×); Tag: AWB ← Previous edit		Latest revision as of 08:53, 7 September 2024 edit undo InternetArchiveBot (talk \| contribs) Bots, Pending changes reviewers 5,694,691 edits Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0.9.5
(25 intermediate revisions by 21 users not shown)
Line 1: {{Short description\|Input to a cryptographic primitive}} In [[cryptography]], an '''initialization vector''' ('''IV''') or '''starting variable''' ~~('''SV''')~~<ref>ISO/IEC 10116:2006 ''Information technology — Security techniques — Modes of operation for an ''n''-bit block cipher''</ref> is ~~a fixed-size~~an input to a [[cryptographic primitive]] ~~that~~being used to provide the initial state. The IV is typically required to be [[random]] or [[pseudorandom]], but sometimes an IV only needs to be unpredictable or unique. [[Randomization]] is crucial for some [[encryption]] schemes to achieve [[semantic security]], a property whereby repeated usage of the scheme under the same [[cryptographic key\|key]] does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. For [[block cipher]]s, the use of an IV is described by the [[Block cipher mode of operation\|modes of operation]]~~. Randomization is also required for other primitives, such as [[universal hash function]]s and [[message authentication code]]s based thereon~~. Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called a [[cryptographic nonce\|nonce]] (''a number used only once''), and the primitives ~~are~~(e.g. ~~described~~[[Block_cipher_mode_of_operation#CBC\|CBC]]) are asconsidered ''stateful'' asrather ~~opposed to~~than ''randomized''. This is because ~~the~~an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is the [[counter mode]] of operation, which ~~uses~~has a [[sequence number]] asfor a nonce. The ~~size of the~~ IV issize ~~dependent~~depends on the cryptographic primitive used; for block ciphers, it is generally the cipher's block -size. ~~Ideally, for~~In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate [[for time/memory/data tradeoff ~~attack]]s~~attacks.<ref>{{cite journal \|author = Alex Biryukov \|title = Some Thoughts on Time-Memory-Data Tradeoffs \|journal = IACR ePrint Archive \|year = 2005 \|url = http://eprint.iacr.org/2005/207 }}</ref><ref>{{cite journal \|author1 = Jin Hong \|author2 = Palash Sarkar \|title = Rediscovery of Time Memory Tradeoffs \|journal = IACR ePrint Archive \|year = 2005 \|url = http://eprint.iacr.org/2005/090 }}</ref><ref>{{cite journal \|author1 = Alex Biryukov \|author2 = Sourav Mukhopadhyay \|author3 = Palash Sarkar \|title = Improved Time-Memory Trade-Offs with Multiple Data \|journal = LNCS \|issue = 3897 \|pages = 110–127 \|publisher = Springer \|year = 2007 }}</ref><ref name="ECRYPT">{{cite techreport \|author1 = Christophe De Cannière \|author2 = Joseph Lano \|author3 = Bart Preneel \|title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm \|institution = ECRYPT Stream Cipher Project \|number = 40 \|year = 2005 \|url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy\|WEP]] protocol is a notable example, and is prone to [[Related-key attack\|related-IV attack]]s.conference \| last1 = Biryukov \| first1 = Alex \| last2 = Mukhopadhyay \| first2 = Sourav \| last3 = Sarkar \| first3 = Palash \| editor1-last = Preneel \| editor1-first = Bart \| editor2-last = Tavares \| editor2-first = Stafford E. \| contribution = Improved Time-Memory Trade-Offs with Multiple Data \| doi = 10.1007/11693383_8 \| pages = 110–127 \| publisher = Springer \| series = Lecture Notes in Computer Science \| title = Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers \| volume = 3897 \| year = 2005\| doi-access = free \| isbn = 978-3-540-33108-7 }}</ref><ref name="ECRYPT">{{cite tech report \|author1 = Christophe De Cannière \|author2 = Joseph Lano \|author3 = Bart Preneel \|title = Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm \|institution = ECRYPT Stream Cipher Project \|number = 40 \|year = 2005 \|url = http://www.ecrypt.eu.org/stream/papersdir/040.pdf }}</ref> When the IV is chosen at random, the probability of collisions due to the [[birthday problem]] must be taken into account. Traditional stream ciphers such as [[RC4]] do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; the [[Wired Equivalent Privacy\|WEP]] protocol is a notable example, and is prone to related-IV attacks. ==Motivation== [[File:Tux ~~ecb~~ECB.~~jpg~~png\|thumb\|Insecure encryption of an image as a result of [[electronic codebook]] mode encoding.]] A [[block cipher]] is one of the most basic [[cryptographic primitive\|primitive]]s in cryptography, and frequently used for data [[encryption]]. However, by itself, it can only be used to encode a data block of a predefined size, called the [[block size (cryptography)\|block size]]. For example, a single invocation of the [[Advanced Encryption Standard\|AES]] algorithm transforms a 128-bit [[plaintext]] block into a [[ciphertext]] block of 128 bits in size. The [[cryptographic key\|key]], which is given as one input to the cipher, defines the mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing the encryption key. Line 32 ⟶ 48: == WEP IV == The [[802.11]] [[encryption]] [[algorithm]] called WEP (short for [[Wired Equivalent Privacy]]) used a short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked.<ref name="Intercepting_Mobile_Comm_Nik_Ian_Dav">{{cite ~~document~~web \|~~author~~first1=Nikita \|last1=Borisov [[\|author-link1=Nikita Borisov~~]],~~ [[\|first2=Ian \|last2=Goldberg~~]],~~ ~~[[David~~\|author-link2=Ian A.Goldberg \|first3=David \|last3=Wagner \|author-link3=David A. Wagner]] \|title = Intercepting Mobile Communications: The Insecurity of 802.11 \|url = http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf \|access-date = 2006-09-12 }}</ref> [[Packet injection]] allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP. == SSL 2.0 IV == In [[Block cipher mode of operation#Cipher_block_chaining_(CBC)\|cipher-block chaining mode]] (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the [[Block cipher mode of operation#OFB\|output feedback mode]] (OFB mode), the IV must be unique.<ref>{{citation \|author = Morris Dworkin \|title = NIST Recommendation for Block Cipher Modes of Operation; Chapters 6.2 and 6.4 \|date = 2001 \|url = https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf }}</ref> In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called the [[Transport Layer Security#BEAST attack\|BEAST attack]].<ref>{{citation \|author = B. Moeller \|title = Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures \|date = May 20, 2004 \|url = http://www.openssl.org/~bodo/tls-cbc.txt \|access-date = September 1, 2014 \|archive-date = June 30, 2012 \|archive-url = https://web.archive.org/web/20120630143111/http://www.openssl.org/~bodo/tls-cbc.txt \|url-status = dead }}</ref> ~~In [[Block cipher mode of operation#Cipher-block chaining (CBC)\|cipher-block chaining mode]] (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given~~ plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for the OFB mode, the IV must be unique.<ref>{{citation \|author = Morris Dworkin \|title = NIST Recommendation for Block Cipher Modes of Operation; Chapters 6.2 and 6.4 \|date = 2001 \|url = https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf }} ~~</ref>~~ ~~In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0).~~ If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. ~~This is known as the TLS CBC IV attack, also called the [[Transport Layer Security#BEAST attack\|BEAST attack]].<ref>~~ ~~{{citation \|author = B. Moeller \|title = Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures \|date = May 20, 2004 \|url = http://www.openssl.org/~bodo/tls-cbc.txt }}~~ ~~</ref>~~ == See also ==