[Botan-devel] Question about InitializationVector

Kevin Tambascio kevin.tambascio at gmail.com
Sat May 6 13:09:35 EDT 2006


Jack,

I was figuring as much.  I am using the CBC mode for this operation. 
Currently, there is no  randomness, because there is no conversion. 
If a client gives the interface a 128-bit long octet string from a
PRNG, then I use that directly as the key.  If they give me an ascii
string passphrase, I currently hash it to get either a 128-bit or
256-bit long octet.

I could store the IV with the cipher data.  The only issue, is that if
someone wants to decrypt this with another implementation of AES, they
would have to know to use the first 16 bytes as the IV, and proceed
from there.  But I'm guessing that's a standard practice.

So if I follow the S2K algorithms, and use that for the IV, I should
be better off, because that example did introduce some randomness into
the system.  right?

Thanks for your help,
Kevin

On 5/6/06, Jack Lloyd <lloyd at randombit.net> wrote:
> Hi Kevin,
>
> I don't see a direct problem (though IANAC), but neither can I say it
> gives me a comfy good feeling. The derived IV will essentially be the
> SHA-1 hash of the key (along with some formatting introduced by KDF2,
> but that is all predicable). You mention you are not using an S2K - is
> there any randomness introduced when the password is converted into a
> byte string for the key? If not, identical password => identical key
> => identical IV. That will let an attacker perform statistical attacks
> and some modes (such as CTR and OFB) will fail completely.
>
> An S2K algorithm works for any byte string, so you could run the
> master keying material (password or RNG output) through it regardless
> of source. Then the S2K algorithm can be used to generate both the key
> and initialization vector without introducing any strange dependencies
> between them.
>
> Is there a reason you can't simply include the (random) initialization
> vector along with the ciphertext?
>
> -Jack
>
> On Fri, May 05, 2006 at 05:45:11PM -0400, Kevin Tambascio wrote:
> > Hi,
> >
> > I am trying to use AES/CBC to encrypt some data.  The code worked fine
> > when I used the same IV for both encrypt/decrypt.  When tried to
> > decrypt the data with another instance of the application, using a new
> > IV, the first 16 bytes failed to decrypt, which is expected.  I needed
> > to figure out a way to derive the IV from the password so that it is
> > repeatable.
> >
> > So I looked more through the tutorial and found something close to what I
> > need.
> >
> > SymmetricKey symmetricKey(pKey->GetKeyBuffer(), pKey->GetKeySize());
> > KDF* kdf = get_kdf("KDF2(SHA-1)");
> > InitializationVector iv = kdf->derive_key(16, pKey->GetKeyBuffer(),
> > pKey->GetKeySize(), "cipher iv");
> >
> > This seems to work fine.  One issue, is that my interface accepts a
> > password that is treated as a raw byte stream (could be random data
> > from a PRNG), and may or not be a string.  So I am not using the S2K
> > object to derive the key, and hash it 4096 times, as one of the
> > example shows.  My main concern is that if this is secure enough.
> > pKey is a pointer to my own class, that holds the raw byte stream that
> > makes up the passphrase (which may or may not be a string).
> >
> > Any thoughts/examples would be appreciated.  I'm trying to use both
> > AES-128 and AES-256, and Blowfish/Twofish.
> >
> > Regards,
> > Kevin
> > _______________________________________________
> > botan-devel mailing list
> > botan-devel at randombit.net
> > http://www.randombit.net/mailman/listinfo/botan-devel
> _______________________________________________
> botan-devel mailing list
> botan-devel at randombit.net
> http://www.randombit.net/mailman/listinfo/botan-devel
>



More information about the botan-devel mailing list