Characteristics of an Initialization Vector

2019-03-12 22:32发布

I'm by no means a cryptography expert, I have been reading a few questions around Stack Overflow and on Wikipedia but nothing is really 'clear cut' in terms of defining an IV and its usage.

Points I have discovered:

  • An IV is prepended to a plaintext message in order to strengthen the encryption
  • The IV is truely random
  • Each message has its own unique IV
  • Timestamps and cryptographic hashes are sometimes used instead of random values, but these are considered to be insecure as timestamps can be predicted
  • One of the weaknesses of WEP (in 802.11) is the fact that the IV will reset after a specific amount of encryptions, thus repeating the IV

I'm sure there are many other points to be made, can anyone think of any other characteristics which I've missed?

1条回答
一纸荒年 Trace。
2楼-- · 2019-03-12 23:09

An IV is "a public value which impacts the encryption process". The point of the IV is often to "randomize" the input data to avoid leaking information about which input blocks were identical in the plaintext (because identical blocks happen quite a lot in "real-life" data).

Whether the IV is input by pre-pending it or otherwise depends on the algorithm in which it is used. For symmetric encryption with a block cipher in CBC mode, the IV is pre-pended to the encrypted data (CBC uses, for each block, the previous encrypted block; the IV plays the role of the encrypted block -1).

An IV is distinct from a key in that a key is secret whereas the IV needs not be secret; the IV is often transmitted along the encrypted message. Conversely, the IV must be distinct for every message, whereas the key may be reused. Actually, the IV must be distinct for every message encrypted with the same key; if you use a new key for every message then you can use a constant, fixed IV. Note that the IV needs not be secret, but you can keep it secret if you wish. But the sender and the receiver must agree on the IV, and since the IV changes for every message then it can be inconvenient, in some setups, to keep IV secret.

Whether the IV must be uniformly random, or simply non-repeating, depends on the algorithm. CBC requires a random IV. Other modes are less picky, e.g. GCM. You may derive the key and the IV from a "master key", using a proper one-way function. This is what SSL does. It is more tricky that it seems, do not try it at home.

Repeating the IV is one of the numerous sins of WEP.

查看更多
登录 后发表回答