Find solution
Why is the IV passed in the clear when it can be easily encrypted?

Why is the IV passed in the clear when it can be easily encrypted?

  • The initialization vector (IV) is exclusive or'd against the plain text before encryption for the first block sent in order to prevent an attacker from learning that duplicate message blocks are being sent. This technique is often used with streaming modes like CBC. I have researched some of the questions that were asked about whether it was safe to pass the IV in the clear. The general consensus seems to be that the IV can be safely passed in the clear, but the IV should be random to prevent certain kinds of attacks. Using a counter for the IV is also thought to be vulnerable as well and only randomly generated IVs should be used. I don't really understand this since the reason stated for passing a random IV is that it can not be easily guessed. In any case, my question is as follows: It should be relatively easy to send the first block of a message encrypted, but without any IV processing. This first block could contain the IV which would then be used for all remaining blocks of the message. Since the IV in the encrypted message is random, there should never be any duplicate first blocks. How come this is not being done and isn't it at least a little safer than sending the IV in the clear?

  • Answer:

    Depending on the mode of operation, transmitting the IV encrypted (with the same key as used for the rest of the process) can actually weaken security a lot. For example, in the http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher_feedback_.28CFB.29 and http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29 modes, the IV is encrypted and the result XORed with the first block of the plaintext to produce the first block of ciphertext. Thus, an adversary who knows the encrypted IV can trivially undo the XOR to recover the first block of plaintext! The same is true for the http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Counter_.28CTR.29 mode, if the IV/nonce is used directly as the initial counter value. The http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29 mode works differently, and does not break as catastrophically if you encrypt the IV before transmitting it. However, as Henrick Hellström http://crypto.stackexchange.com/questions/2280/why-is-the-iv-passed-in-the-clear-when-it-can-be-easily-encrypted#comment3657_2282, knowing the encrypted IV still lets an adversary figure out whether the first block of the plaintext consists of all zeros.

Bob Bryan at Cryptography Visit the source

Was this solution helpful to you?

Other answers

Lets take a look at what happens for CBC mode encryption: https://i.stack.imgur.com/BnxHa.png As you can see, IV is called the Initialization Vector because it is the first vector that is mixed with the plaintext before encryption. The next vectors are the cipher text block before the one that is being encrypt. All of the ciphertext blocks are of course send in plain. Because of this it doesn't make sense to encrypt the very first one - you would only protect one of the many vectors. What you can do for CBC mode encryption is to use a PRP (block cipher) or PRF (cryptographically secure hash to make the IV less distinguishable from random. The IV for CBC mode encryption must be unpredictable (to an adversary). In that case however you never decrypt the IV, you use the block cipher simply as an initial transformation. If you do keep the IV confidential then you could use a single block encrypt with a different - possibly derived - key.

Maarten Bodewes

In general, encryption is computationally expensive, while the exclusive-or operation is so cheap as to be negligible. Encrypting a random IV would be more expensive than XORing it with the first message block, with no cryptographic advantage. As you said, the purpose of the IV is to prevent replay-type attacks, which would allow an attacker to recognize repeated blocks and eventually determine the key. But the IV needn't be secret as long as it's unique and can't be predicted. Giving the IV to an attacker along with the ciphertext will provide no cryptographic advantage. On the other hand, block encryption can be done in "counter" (CTR) mode. This does allow the sender to use sequential initializers, but they're combined with a nonce that's never re-used with the same key.

Adam Liss

Besides the already given answers, I would like to add that it can be considered safe to send the IV in clear beacause an eventual attack with known plaintext (for example a known header and its corresponding ciphertext) would need to recalculate all the plaintext/ciphertext associations for each possible key in order to find the actual key used to encrypt that message. Since this operation is supposed to take long time and should be done for each IV, if the IV is really chosen randomly and changed quite often, this kind of attack is vanished even if the IV is sent in clear.

Pyrox

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.