[Botan-devel] Question about InitializationVector

Jack Lloyd lloyd at randombit.net
Sat May 6 00:28:35 EDT 2006

Hi Kevin,

I don't see a direct problem (though IANAC), but neither can I say it
gives me a comfy good feeling. The derived IV will essentially be the
SHA-1 hash of the key (along with some formatting introduced by KDF2,
but that is all predicable). You mention you are not using an S2K - is
there any randomness introduced when the password is converted into a
byte string for the key? If not, identical password => identical key
=> identical IV. That will let an attacker perform statistical attacks
and some modes (such as CTR and OFB) will fail completely.

An S2K algorithm works for any byte string, so you could run the
master keying material (password or RNG output) through it regardless
of source. Then the S2K algorithm can be used to generate both the key
and initialization vector without introducing any strange dependencies
between them.

Is there a reason you can't simply include the (random) initialization
vector along with the ciphertext?


On Fri, May 05, 2006 at 05:45:11PM -0400, Kevin Tambascio wrote:
> Hi,
> I am trying to use AES/CBC to encrypt some data.  The code worked fine
> when I used the same IV for both encrypt/decrypt.  When tried to
> decrypt the data with another instance of the application, using a new
> IV, the first 16 bytes failed to decrypt, which is expected.  I needed
> to figure out a way to derive the IV from the password so that it is
> repeatable.
> So I looked more through the tutorial and found something close to what I 
> need.
> SymmetricKey symmetricKey(pKey->GetKeyBuffer(), pKey->GetKeySize());
> KDF* kdf = get_kdf("KDF2(SHA-1)");
> InitializationVector iv = kdf->derive_key(16, pKey->GetKeyBuffer(),
> pKey->GetKeySize(), "cipher iv");
> This seems to work fine.  One issue, is that my interface accepts a
> password that is treated as a raw byte stream (could be random data
> from a PRNG), and may or not be a string.  So I am not using the S2K
> object to derive the key, and hash it 4096 times, as one of the
> example shows.  My main concern is that if this is secure enough. 
> pKey is a pointer to my own class, that holds the raw byte stream that
> makes up the passphrase (which may or may not be a string).
> Any thoughts/examples would be appreciated.  I'm trying to use both
> AES-128 and AES-256, and Blowfish/Twofish.
> Regards,
> Kevin
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://www.randombit.net/mailman/listinfo/botan-devel

More information about the botan-devel mailing list