为什么使用具有CBC模式的非随机IV是一个漏洞？ [英] Why is using a Non-Random IV with CBC Mode a vulnerability?

问题描述

我明白IV的目的。特别是在CBC模式中，这保证用相同密钥加密的2个消息中的第一个块将永远不会相同。但是如果IV是顺序的，为什么它是一个漏洞？根据 CWE-329 非随机IV允许字典的可能性攻击。我知道在实践中，像WEP的协议不会努力隐藏IV。如果攻击者有IV和一个密文消息，这将打开一个字典攻击的钥匙的门。我不明白随机iv如何改变这一点。 （我知道对wep的攻击比这更复杂。）

一个随机的iv有什么安全优势？这是否仍然是一个理想块密码的问题？

解决方案

可预测的IV可以通过选择的纯文本进行利用。

假设Eve是保险公司的DBA。公司从受益人那里收集包括大量关于医疗条件的真/假复选框的医疗历史。这家公司也碰巧自己的健康保险提供商。 Eve意识到，如果她能发现爱丽丝有一个特别尴尬的医疗条件，爱丽丝可能被勒索。但是，每个字段的值都是加密的，所以即使Eve是DBA，她只能访问密文。

在CBC中，用纯文本进行异或（以下用⊕表示），然后通过块密码：C 1 = E k（IV⊕P1 < sub>）。

由于Eve是保险公司的受益人，她可以为自己的医疗记录选择纯文本，因为她是DBA，她可以检查任何人的密文。除了使用可预测的IV，大量的应用程序开发人员在验证应用程序输入方面做的不好。如果Eve可以预先预测将被应用于她（IV前夕）和Alice的（IV ）记录的IV，则她可以为她自己的记录选择纯文本像这样：P eve = IV sub eve ⊕IV _alice ⊕false

应用程序对此纯文本进行加密，如下所示：

C = E _k ⊕P sub eve ）= E sub（k）（IV ve ve⊕⊕ > alice ⊕false））

IV 这意味着C sub eve = E sub（k）

Now Eve可以比较C 和C _alice 。如果他们不同，她知道爱丽丝必须输入真实的医疗条件。

使IV不可预测的阻碍这种攻击，一个简单的方法，使他们不可预测是在提供纯文本后随机选择它们。

I understand the purpose of an IV. Specifically in CBC mode this insures that the first block of of 2 messages encrypted with the same key will never be identical. But why is it a vulnerability if the IV's are sequential? According to CWE-329 NON-Random IV's allow for the possibility of a dictionary attack. I know that in practice protocols like WEP make no effort to hide the IV. If the attacker has the IV and a cipher text message then this opens the door for a dictionary attack against the key. I don't see how a random iv changes this. (I know the attacks against wep are more complex than this.)

What security advantage does a randomized iv have? Is this still a problem with an "Ideal Block Cipher"? (A perfectly secure block cipher with no possible weaknesses.)

解决方案

Predictable IVs can be exploited by chosen plain text.

Pretend that Eve is a DBA at an insurance company. The company collects medical histories from beneficiaries that include a lot of true/false check boxes about medical conditions. This company also happens to its own health insurance provider. Eve realizes that Alice could be blackmailed if she can discover that Alice has a particularly embarrassing medical condition. However, the value in each of these fields is encrypted, so even though Eve is the DBA, she only has access to the cipher text.

In CBC, the IV is XORed (noted by "⊕" below) with the plain text, then run through the block cipher: C₁ = E_k(IV ⊕ P₁).

Since Eve is a beneficiary of the insurance company, she can choose the plain text for her own medical record, and since she is the DBA, she can examine anyone's cipher text. In addition to using predictable IVs, the sloppy application developer did a poor job of validating the application inputs. If Eve can predict the IVs that will be applied to her (IV_eve) and Alice's (IV_alice) records in advance, she can choose the plain text for her own record like this: P_eve = IV_eve ⊕ IV_alice ⊕ "false"

The application encrypts this plain text like this:

C_eve = E_k(IV_eve ⊕ P_eve) = E_k(IV_eve ⊕ (IV_eve ⊕ IV_alice ⊕ "false"))

The IV_eve ⊕ IV_eve cancels out, which means that C_eve = E_k(IV_alice ⊕ "false")

Now Eve can compare C_eve and C_alice. If they are different, she knows that Alice must have entered "true" for that medical condition.

Making IVs unpredictable thwarts this attack, and an easy way to make them unpredictable is to choose them randomly after the plain text has been supplied.

这篇关于为什么使用具有CBC模式的非随机IV是一个漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！