为什么在 CBC 模式下使用非随机 IV 是一个漏洞? [英] Why is using a Non-Random IV with CBC Mode a vulnerability?

问题描述

我理解 IV 的目的.特别是在 CBC 模式下，这可确保使用相同密钥加密的 2 条消息的第一块永远不会相同.但是，如果 IV 是连续的，为什么它是一个漏洞?根据 CWE-329 非随机 IV 允许字典攻击的可能性.我知道在实践中，像 WEP 这样的协议不会努力隐藏 IV.如果攻击者拥有 IV 和密文消息，那么这将为针对密钥的字典攻击打开大门.我看不出随机 iv 如何改变这一点.(我知道对 wep 的攻击比这更复杂.)

I understand the purpose of an IV. Specifically in CBC mode this insures that the first block of of 2 messages encrypted with the same key will never be identical. But why is it a vulnerability if the IV's are sequential? According to CWE-329 NON-Random IV's allow for the possibility of a dictionary attack. I know that in practice protocols like WEP make no effort to hide the IV. If the attacker has the IV and a cipher text message then this opens the door for a dictionary attack against the key. I don't see how a random iv changes this. (I know the attacks against wep are more complex than this.)

随机 iv 有什么安全优势?这仍然是理想块密码"的问题吗?(一个完全安全的分组密码，没有任何可能的弱点.)

What security advantage does a randomized iv have? Is this still a problem with an "Ideal Block Cipher"? (A perfectly secure block cipher with no possible weaknesses.)

推荐答案

可预测的 IV 可以被选定的纯文本利用.

Predictable IVs can be exploited by chosen plain text.

假设 Eve 是一家保险公司的 DBA.该公司从受益人那里收集病史，其中包括许多关于医疗状况的真/假复选框.这家公司也碰巧自己的健康保险提供商.Eve 意识到，如果 Alice 发现 Alice 的健康状况特别令人尴尬，她可能会受到勒索.但是，每个字段中的值都是加密的，因此即使 Eve 是 DBA，她也只能访问密文.

Pretend that Eve is a DBA at an insurance company. The company collects medical histories from beneficiaries that include a lot of true/false check boxes about medical conditions. This company also happens to its own health insurance provider. Eve realizes that Alice could be blackmailed if she can discover that Alice has a particularly embarrassing medical condition. However, the value in each of these fields is encrypted, so even though Eve is the DBA, she only has access to the cipher text.

在 CBC 中，IV 与明文进行异或(用下面的⊕"表示)，然后通过分组密码:C₁ = E_k(IV ⊕ P₁).

In CBC, the IV is XORed (noted by "⊕" below) with the plain text, then run through the block cipher: C₁ = E_k(IV ⊕ P₁).

由于 Eve 是保险公司的受益人，她可以选择明文作为自己的病历，而且由于她是 DBA，她可以检查任何人的密文.除了使用可预测的 IV 之外，草率的应用程序开发人员在验证应用程序输入方面做得很差.如果 Eve 可以提前预测将应用于她 (IV_eve) 和 Alice (IV_alice) 记录的 IV，她可以选择纯文本作为她自己的记录像这样:P_eve = IV_eve ⊕ IV_alice ⊕ "false"

Since Eve is a beneficiary of the insurance company, she can choose the plain text for her own medical record, and since she is the DBA, she can examine anyone's cipher text. In addition to using predictable IVs, the sloppy application developer did a poor job of validating the application inputs. If Eve can predict the IVs that will be applied to her (IV_eve) and Alice's (IV_alice) records in advance, she can choose the plain text for her own record like this: P_eve = IV_eve ⊕ IV_alice ⊕ "false"

应用程序像这样加密这个纯文本:

The application encrypts this plain text like this:

C_eve = E_k(IV_eve ⊕ P_eve) = E_k(IV_eve ⊕ (IV_eve ⊕ IV_alice ⊕ "false"))

C_eve = E_k(IV_eve ⊕ P_eve) = E_k(IV_eve ⊕ (IV_eve ⊕ IV_alice ⊕ "false"))

IV_eve ⊕ IV_eve 抵消，这意味着 C_eve = E_k(IV_alice ⊕ "假")

The IV_eve ⊕ IV_eve cancels out, which means that C_eve = E_k(IV_alice ⊕ "false")

现在 Eve 可以比较 C_eve 和 C_alice.如果它们不同，她就知道 Alice 必须为该医疗状况输入true".

Now Eve can compare C_eve and C_alice. If they are different, she knows that Alice must have entered "true" for that medical condition.

使 IV 不可预测可以阻止这种攻击，而使它们不可预测的一种简单方法是在提供纯文本后随机选择它们.

Making IVs unpredictable thwarts this attack, and an easy way to make them unpredictable is to choose them randomly after the plain text has been supplied.

这篇关于为什么在 CBC 模式下使用非随机 IV 是一个漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！