I have written a message and encrypted it using cipher block chaining.
What will happen if the receiver loses the Initialization Vector, or doesn't receive at all?
Add a comment
|
4 Answers
When decrypting a message in CBC mode, each ciphertext block ci is decrypted with the chosen key, and then XORed with the previous ciphertext block ci-1.
Since for c1, there is no c0, we use the IV instead. So if the receiver knows the ciphertext and the key used to encrypt it, but not the IV, they can decrypt everything apart from the first block.
In a cipher block chain, each block is XORed with the ciphertext of the previous block, not the plaintext. So even if you cannot decipher one block, as long as you have received the complete block intact and correct, you can still use it to decipher the next one.
So, if your receiver doesn't have the Initialization Vector, they will be unable to decipher the first block they receive. But as long as they receive the first block, they will still successfully decipher the second (and each successive) block.
The bigger problem is not the garbled first block, as already answered. The real problem is that if you use Authenticated Encryption (or AEAD), as you must, then the message cannot be authenticated without the IV (because the IV must be covered by the MAC), and when the message cannot be authenticated, it must not be decrypted. The job of the MAC is to ensure unauthenticated messages are never passed to AES (or whatever) together with your real key.
Since you are trying to decrypt messages that don't have their IV, we must assume they are also unauthenticated (or you had a MAC that didn't cover the IV, which is broken). Fix that.
You can do CBC + HMAC, encrypt-then-MAC (thus MAC-then-decrypt), with the MAC covering the IV, and it would be secure. But, it would be much better to use AES-GCM or Chacha20-Poly1305. It would be even better to just use libsodium or Google Tink.
-
1This is a great answer, and shows the important difference in the answers you'll get by asking the questions "what will happen" and "what should happen"...– JohnnyCommented Apr 14, 2019 at 21:58
As mentioned in the other answers - For AES-CBC, if you have the key, but not the IV, then you can still decrypt the entire message, except for the first block. For a working example using openssl, consider the ciphertext below, which was encrypted using AES-128-CBC. The encryption key used was 1AFFB43263983EE5C3DC75BC5FF76D06, but the iv is not known:
7ea9fac5d627a27f7c3ec776cc059bd0
8219a48d3a9b6e0ed263d2d54f7953c8
025ca84b88574ce567af96482598a496
0e76394cbe347fd5ddbca644272979cb
6ee3287d3ccc02520bfdd53c93c4de5b
b85488940d97f8295139c445defefb73
The ciphertext above is hex-encoded and formatted with 16 bytes in each row, so that each row of 16 bytes represents one block of ciphertext. Without the iv, we can not decrypt the first block, but we can decrypt all of the remaining blocks. To do so, we simply remove the first block of ciphertext, and use this block as the iv:
echo -n '8219a48d3a9b6e0ed263d2d54f7953c8025ca84b88574ce567af96482598a4960e76394cbe347fd5ddbca644272979cb6ee3287d3ccc02520bfdd53c93c4de5bb85488940d97f8295139c445defefb73' | xxd -p -r | openssl aes-128-cbc -d -K 1AFFB43263983EE5C3DC75BC5FF76D06 -iv 7ea9fac5d627a27f7c3ec776cc059bd0
The resulting plaintext is:
even years ago our fathers brought forth on this continent, a new nation…
Can you guess what the first block of plaintext was?
