为什么使用非随机IV与CBC模式有一个漏洞？ [英] Why is using a Non-Random IV with CBC Mode a vulnerability?

问题描述

我明白了IV的目的。特别是在CBC模式下，确保用相同密钥加密的2个消息的第一个块将永远不会相同。但是，如果IV是顺序的，为什么会是一个漏洞呢？根据 CWE-329 非随机IV允许字典攻击的可能性。我知道在实践中，像WEP这样的协议不会掩饰IV。如果攻击者有IV和一个密文短信，那么这就打开了门的字典攻击的关键。我看不到随机的iv如何改变这个。 （我知道对Wep的攻击比这更复杂）。

随机化iv有什么安全优势？这是否仍然是理想块密码的问题？ （一个完全安全的块密码，没有可能的弱点。）

解决方案

可预测的IV可以通过选择的纯文本来利用。 >

假设夏娃是保险公司的DBA。受益人收集医疗史，其中包括许多关于医疗条件的真假复选框。该公司也发生在自己的健康保险提供者身上。夏娃认识到，如果爱丽丝发现爱丽丝有一个特别尴尬的病情，可能会被勒索。然而，每个这些字段中的值都是加密的，所以即使Eve是DBA，她只能访问密文。

在CBC中，IV是用明文进行异或（以下⊕表示），然后运行块密码：C 1>因为夏娃是保险公司的受益人，她可以为自己的病历选择纯文本，因为她是DBA，她可以检查任何人的密码。除了使用可预测的IV之外，应用程序开发人员也很难验证应用程序的输入。如果夏娃可以提前预测将要应用于她的IV（IV _Eve ）和Alice's（IV alice ）记录，她可以为她自己的记录选择纯文本如下所示：P _eve = IV ⊕IV ⊕false

应用程序加密这样的纯文本：

C _eve = E _k （IV < （⊕ve⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕ ⊕false））

IV⊕⊕⊕⊕⊕⊕ve ve ve>>>>，，，，，，，，这意味着C> ve E E E⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕⊕>>>>>>>>>>>>>>>>>>>>>>>> <> <<<<<现在夏娃可以比较C _eve 和C _alice 。如果他们不一样，她知道爱丽丝必须为这种医疗条件输入真实。

使IV变得不可预测地阻止了这次攻击，并且是一种简单的方法来使其不可预知是在提供纯文本后随机选择它们。

I understand the purpose of an IV. Specifically in CBC mode this insures that the first block of of 2 messages encrypted with the same key will never be identical. But why is it a vulnerability if the IV's are sequential? According to CWE-329 NON-Random IV's allow for the possibility of a dictionary attack. I know that in practice protocols like WEP make no effort to hide the IV. If the attacker has the IV and a cipher text message then this opens the door for a dictionary attack against the key. I don't see how a random iv changes this. (I know the attacks against wep are more complex than this.)

What security advantage does a randomized iv have? Is this still a problem with an "Ideal Block Cipher"? (A perfectly secure block cipher with no possible weaknesses.)

解决方案

Predictable IVs can be exploited by chosen plain text.

Pretend that Eve is a DBA at an insurance company. The company collects medical histories from beneficiaries that include a lot of true/false check boxes about medical conditions. This company also happens to its own health insurance provider. Eve realizes that Alice could be blackmailed if she can discover that Alice has a particularly embarrassing medical condition. However, the value in each of these fields is encrypted, so even though Eve is the DBA, she only has access to the cipher text.

In CBC, the IV is XORed (noted by "⊕" below) with the plain text, then run through the block cipher: C₁ = E_k(IV ⊕ P₁).

Since Eve is a beneficiary of the insurance company, she can choose the plain text for her own medical record, and since she is the DBA, she can examine anyone's cipher text. In addition to using predictable IVs, the sloppy application developer did a poor job of validating the application inputs. If Eve can predict the IVs that will be applied to her (IV_eve) and Alice's (IV_alice) records in advance, she can choose the plain text for her own record like this: P_eve = IV_eve ⊕ IV_alice ⊕ "false"

The application encrypts this plain text like this:

C_eve = E_k(IV_eve ⊕ P_eve) = E_k(IV_eve ⊕ (IV_eve ⊕ IV_alice ⊕ "false"))

The IV_eve ⊕ IV_eve cancels out, which means that C_eve = E_k(IV_alice ⊕ "false")

Now Eve can compare C_eve and C_alice. If they are different, she knows that Alice must have entered "true" for that medical condition.

Making IVs unpredictable thwarts this attack, and an easy way to make them unpredictable is to choose them randomly after the plain text has been supplied.

这篇关于为什么使用非随机IV与CBC模式有一个漏洞？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！