0

I am confused. According to the below my IV "MUST" be unique for every round of encryption.

Properties of an IV depend on the cryptographic scheme used. A basic requirement is uniqueness, which means that no IV may be reused under the same key. For block ciphers, repeated IV values devolve the encryption scheme into electronic codebook mode: equal IV and equal plaintext result in equal ciphertext. - https://en.wikipedia.org/wiki/Initialization_vector

I am using the .NET AesCryptoServiceProvider class. I am using GenerateIV to generate a new IV and sending that IV along with the cipher text to a remote endpoint which will then decrypt the packet using the IV and privately shared key.

My packet is XML, and thus will always start with the same leading text. (e.g. "<SomeTag ...>unique_text</SomeTag>")

My key might live over thousands of encrypt/decrypt cycles during the five to ten minute life of the key. How many times can I call GenerateIV before I generate the same IV twice? Or phrased another way, how many cycles is GenerateIV good for? Five, ten, hundreds, thousands, millions?

Here is the code in question:

_sessionKeys[_currentSessionKeyId].GenerateIV();
var key = _sessionKeys[_currentSessionKeyId].Key;
var iv = _sessionKeys[_currentSessionKeyId].IV;

ICryptoTransform encryptor = _sessionKeys[_currentSessionKeyId].CreateEncryptor(key,iv);

It seems that given that the IV generated by AesCryptoServiceProvider.GenerateIV is of finite size, then the number of times it can be called before generating a duplicate IV is also finite. But what is that finite number.

Ayo I
  • 7,722
  • 5
  • 30
  • 40
  • You're worried about exhausting a 128-bit space? – Damien_The_Unbeliever Sep 09 '15 at 06:10
  • 1
    The docs are note entirely accurate. The IV must be unique for CTR mode. When there is a collision then all plaintexts that collided can be recovered with a little ingenuity and seeing patterns. If you use some other mode like CBC, then you would only lose semantic security, but that doesn't necessarily reveal you plaintexts. The IV should be unpredictable, but not necessarily unique. – Artjom B. Sep 09 '15 at 07:26
  • @ArtjomB. - agreed. Some people conflate IVs and Nonces, and that wikipedia article seems to suffer from that problem, in places. – Damien_The_Unbeliever Sep 09 '15 at 07:28

1 Answers1

2

There is 128 bits (16 bytes) in a IV. According to the Wikipeda page on the Birthday Attack (the probability you will see a repeated value pulling randomly from a pool) to have a 0.0000000000000001% chance of seeing any number twice you must call the function about 26,000,000,000 times. To get it to be a 1% chance any number is seen twice you must call it 2,600,000,000,000,000,000 times.

This assumes GenerateIV has a "good" random number generator that gives a even distribution, which it should have.

Scott Chamberlain
  • 124,994
  • 33
  • 282
  • 431
  • Thank you. Great answer. This is exactly what I was looking for. Also, thank you for the reference to the Birthday Attack. That's the math I wanted to see. – Ayo I Sep 09 '15 at 20:09