Movatterモバイル変換

Initialization vector

From Wikipedia, the free encyclopedia

Input to a cryptographic primitive

Incryptography, aninitialization vector (IV) orstarting variable^[1] is an input to acryptographic primitive being used to provide the initial state. The IV is typically required to berandom orpseudorandom, but sometimes an IV only needs to be unpredictable or unique.Randomization is crucial for someencryption schemes to achievesemantic security, a property whereby repeated usage of the scheme under the samekey does not allow an attacker to infer relationships between (potentially similar) segments of the encrypted message. Forblock ciphers, the use of an IV is described by themodes of operation.

Some cryptographic primitives require the IV only to be non-repeating, and the required randomness is derived internally. In this case, the IV is commonly called anonce (a number used only once), and the primitives (e.g.CBC) are consideredstateful rather thanrandomized. This is because an IV need not be explicitly forwarded to a recipient but may be derived from a common state updated at both sender and receiver side. (In practice, a short nonce is still transmitted along with the message to consider message loss.) An example of stateful encryption schemes is thecounter mode of operation, which has asequence number for a nonce.

The IV size depends on the cryptographic primitive used; for block ciphers it is generally the cipher's block-size. In encryption schemes, the unpredictable part of the IV has at best the same size as the key to compensate for time/memory/data tradeoff attacks.^[2]^[3]^[4]^[5] When the IV is chosen at random, the probability of collisions due to thebirthday problem must be taken into account. Traditional stream ciphers such asRC4 do not support an explicit IV as input, and a custom solution for incorporating an IV into the cipher's key or internal state is needed. Some designs realized in practice are known to be insecure; theWEP protocol is a notable example, and is prone to related-IV attacks.

Motivation

[edit]

Insecure encryption of an image as a result ofelectronic codebook mode encoding.

Ablock cipher is one of the most basicprimitives in cryptography, and frequently used for dataencryption. However, by itself, it can only be used to encode a data block of a predefined size, called theblock size. For example, a single invocation of theAES algorithm transforms a 128-bitplaintext block into aciphertext block of 128 bits in size. Thekey, which is given as one input to the cipher, defines the mapping between plaintext and ciphertext. If data of arbitrary length is to be encrypted, a simple strategy is to split the data into blocks each matching the cipher's block size, and encrypt each block separately using the same key. This method is not secure as equal plaintext blocks get transformed into equal ciphertexts, and a third party observing the encrypted data may easily determine its content even when not knowing the encryption key.

To hide patterns in encrypted data while avoiding the re-issuing of a new key after each block cipher invocation, a method is needed torandomize the input data. In 1980, theNIST published a national standard document designatedFederal Information Processing Standard (FIPS) PUB 81, which specified four so-calledblock cipher modes of operation, each describing a different solution for encrypting a set of input blocks. The first mode implements the simple strategy described above, and was specified as theelectronic codebook (ECB) mode. In contrast, each of the other modes describe a process where ciphertext from one block encryption step gets intermixed with the data from the next encryption step. To initiate this process, an additional input value is required to be mixed with the first block, and which is referred to as aninitialization vector. For example, thecipher-block chaining (CBC) mode requires an unpredictable value, of size equal to the cipher's block size, as additional input. This unpredictable value is added to the first plaintext block before subsequent encryption. In turn, the ciphertext produced in the first encryption step is added to the second plaintext block, and so on. The ultimate goal for encryption schemes is to providesemantic security: by this property, it is practically impossible for an attacker to draw any knowledge from observed ciphertext. It can be shown that each of the three additional modes specified by the NIST are semantically secure under so-calledchosen-plaintext attacks.

Properties

[edit]

Properties of an IV depend on the cryptographic scheme used. A basic requirement isuniqueness, which means that no IV may be reused under the same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. Instream cipher encryption uniqueness is crucially important as plaintext may be trivially recovered otherwise.

Example: Stream ciphers encrypt plaintextP to ciphertextC by deriving a key streamK from a given key and IV and computingC asC =P xorK. Assume that an attacker has observed two messagesC₁ andC₂ both encrypted with the same key and IV. Then knowledge of eitherP₁ orP₂ reveals the other plaintext since

C₁ xorC₂ = (P₁ xor K) xor (P₂ xor K) =P₁ xorP₂.

Many schemes require the IV to beunpredictable by anadversary. This is effected by selecting the IV atrandom orpseudo-randomly. In such schemes, the chance of a duplicate IV isnegligible, but the effect of thebirthday problem must be considered. As for the uniqueness requirement, a predictable IV may allow recovery of (partial) plaintext.

Example: Consider a scenario where a legitimate party called Alice encrypts messages using the cipher-block chaining mode. Consider further that there is an adversary called Eve that can observe these encryptions and is able to forward plaintext messages to Alice for encryption (in other words, Eve is capable of achosen-plaintext attack). Now assume that Alice has sent a message consisting of an initialization vectorIV₁ and starting with a ciphertext blockC_Alice. Let furtherP_Alice denote the first plaintext block of Alice's message, letE denote encryption, and letP_Eve be Eve's guess for the first plaintext block. Now, if Eve can determine the initialization vectorIV₂ of the next message she will be able to test her guess by forwarding a plaintext message to Alice starting with (IV₂ xorIV₁ xorP_Eve); if her guess was correct this plaintext block will get encrypted toC_Alice by Alice. This is because of the following simple observation:

C_Alice =E(IV₁ xorP_Alice) =E(IV₂ xor (IV₂ xorIV₁ xorP_Alice)).^[6]

Depending on whether the IV for a cryptographic scheme must be random or only unique the scheme is either calledrandomized orstateful. While randomized schemes always require the IV chosen by a sender to be forwarded to receivers, stateful schemes allow sender and receiver to share a common IV state, which is updated in a predefined way at both sides.

Block ciphers

[edit]

Block cipher processing of data is usually described as a mode of operation. Modes are primarily defined for encryption as well asauthentication, though newer designs exist that combine both security solutions in so-calledauthenticated encryption modes. While encryption and authenticated encryption modes usually take an IV matching the cipher's block size, authentication modes are commonly realized asdeterministic algorithms, and the IV is set to zero or some other fixed value.

Stream ciphers

[edit]

In stream ciphers, IVs are loaded into the keyed internal secret state of the cipher, after which a number of cipher rounds are executed prior to releasing the first bit of output. For performance reasons, designers of stream ciphers try to keep that number of rounds as small as possible, but because determining the minimal secure number of rounds for stream ciphers is not a trivial task, and considering other issues such asentropy loss, unique to each cipher construction, related-IVs and other IV-related attacks are a known security issue for stream ciphers, which makes IV loading in stream ciphers a serious concern and a subject of ongoing research.

WEP IV

[edit]

The802.11 encryption algorithm called WEP (short forWired Equivalent Privacy) used a short, 24-bit IV, leading to reused IVs with the same key, which led to it being easily cracked.^[7]Packet injection allowed for WEP to be cracked in times as short as several seconds. This ultimately led to the deprecation of WEP.

SSL 2.0 IV

[edit]

Incipher-block chaining mode (CBC mode), the IV need not be secret, but must be unpredictable (In particular, for any given plaintext, it must not be possible to predict the IV that will be associated to the plaintext in advance of the generation of the IV.) at encryption time. Additionally for theoutput feedback mode (OFB mode), the IV must be unique.^[8] In particular, the (previously) common practice of re-using the last ciphertext block of a message as the IV for the next message is insecure (for example, this method was used by SSL 2.0). If an attacker knows the IV (or the previous block of ciphertext) before he specifies the next plaintext, he can check his guess about plaintext of some block that was encrypted with the same key before. This is known as the TLS CBC IV attack, also called theBEAST attack.^[9]

References

[edit]

^ISO/IEC 10116:2006Information technology — Security techniques — Modes of operation for ann-bit block cipher
^Alex Biryukov (2005)."Some Thoughts on Time-Memory-Data Tradeoffs".IACR ePrint Archive.
^Jin Hong; Palash Sarkar (2005)."Rediscovery of Time Memory Tradeoffs".IACR ePrint Archive.
^Biryukov, Alex; Mukhopadhyay, Sourav; Sarkar, Palash (2005). "Improved Time-Memory Trade-Offs with Multiple Data". In Preneel, Bart; Tavares, Stafford E. (eds.).Selected Areas in Cryptography, 12th International Workshop, SAC 2005, Kingston, ON, Canada, August 11-12, 2005, Revised Selected Papers. Lecture Notes in Computer Science. Vol. 3897. Springer. pp. 110–127.doi:10.1007/11693383_8.ISBN 978-3-540-33108-7.
^Christophe De Cannière; Joseph Lano; Bart Preneel (2005).Comments on the Rediscovery of Time/Memory/Data Trade-off Algorithm(PDF) (Technical report). ECRYPT Stream Cipher Project. 40.
^CWE-329: Not Using a Random IV with CBC Mode
^Borisov, Nikita;Goldberg, Ian;Wagner, David."Intercepting Mobile Communications: The Insecurity of 802.11"(PDF). Retrieved2006-09-12.
^Morris Dworkin (2001),NIST Recommendation for Block Cipher Modes of Operation; Chapters 6.2 and 6.4(PDF)
^B. Moeller (May 20, 2004),Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures, archived fromthe original on June 30, 2012, retrievedSeptember 1, 2014

v t e Block ciphers (security summary)
Common algorithms	AES Blowfish DES (internal mechanics,Triple DES) Serpent SM4 Twofish
Less common algorithms	ARIA Camellia CAST-128 GOST IDEA LEA RC5 RC6 SEED Skipjack TEA XTEA
Other algorithms	3-Way Adiantum Akelarre Anubis Ascon BaseKing BassOmatic BATON BEAR and LION CAST-256 Chiasmus CIKS-1 CIPHERUNICORN-A CIPHERUNICORN-E CLEFIA CMEA Cobra COCONUT98 Crab Cryptomeria/C2 CRYPTON CS-Cipher DEAL DES-X DFC E2 FEAL FEA-M FROG G-DES Grand Cru Hasty Pudding cipher Hierocrypt ICE IDEA NXT Intel Cascade Cipher Iraqi Kalyna KASUMI KeeLoq KHAZAD Khufu and Khafre KN-Cipher Kuznyechik Ladder-DES LOKI (97,89/91) Lucifer M6 M8 MacGuffin Madryga MAGENTA MARS Mercy MESH MISTY1 MMB MULTI2 MultiSwap New Data Seal NewDES Nimbus NOEKEON NUSH PRESENT Prince Q QARMA RC2 REDOC Red Pike S-1 SAFER SAVILLE SC2000 SHACAL SHARK Simon Speck Spectr-H64 Square SXAL/MBAL Threefish Treyfer UES xmx XXTEA Zodiac
Design	Feistel network Key schedule Lai–Massey scheme Product cipher S-box P-box SPN Confusion and diffusion Round Avalanche effect Block size Key size Key whitening (Whitening transformation)
Attack (cryptanalysis)	Brute-force (EFF DES cracker) MITM Biclique attack 3-subset MITM attack Linear (Piling-up lemma) Differential Impossible Truncated Higher-order Differential-linear Distinguishing (Known-key) Integral/Square Boomerang Modn Related-key Slide Rotational Side-channel Timing Power-monitoring Electromagnetic Acoustic Differential-fault XSL Interpolation Partitioning Rubber-hose Black-bag Davies Rebound Weak key Tau Chi-square Time/memory/data tradeoff
Standardization	AES process CRYPTREC NESSIE NSA Suite B CNSA
Utilization	Initialization vector Mode of operation Padding

Stream ciphers

Widely used ciphers

eSTREAM Portfolio

Software	HC-128 Rabbit Salsa20 SOSEMANUK
Hardware	Grain MICKEY Trivium

Other ciphers

Generators

Theory

Attacks

v t e Cryptography
General	History of cryptography Outline of cryptography Classical cipher Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Secure Hash Algorithms Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Machines Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network
Mathematics	Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography
Category