AES-128-CBC algorithm: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

Question

 public function encrypt($message){
        $sifrelememetodu = "AES-128-CBC"; 
        $benimsifrem = "birgul.091!birgul!"; 
        $sifresicozulen = openssl_encrypt($message, $sifrelememetodu, $benimsifrem);
        
       return $sifresicozulen;
    
         }     

 public function decrypt($message){
        $sifrelememetodu = "AES-128-CBC"; 
        $benimsifrem = "birgul.091!birgul!"; 
        $sifresicozulen = openssl_decrypt($message, $sifrelememetodu, $benimsifrem);
        return $sifresicozulen;
      }

$data = $this->encrypt("47380908767");
$data =$this->decrypt($data);

But encrypt function is giving error that:

openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

CBC mode uses an initialization vector (16 bytes for AES). If you do not specify one (in the 5th parameter), [`openssl_encrypt()`](https://www.php.net/manual/en/function.openssl-encrypt.php) implicitly creates an IV that contains only `0x00` values. However, a static IV is insecure, which is why this warning is displayed. — Topaco, May 14 '21 at 13:19
The correct way is to generate a random IV during encryption. The IV is also needed for decryption, is not secret and is usually passed along with the ciphertext, e.g. concatenated. — Topaco, May 14 '21 at 13:22

score 1 · Answer 1 · answered May 14 '21 at 12:53

You just need to use the openssl_encrypt. You can find more information in PHP documentation here

You decrypt function:

public function decrypt($message){
    $sifrelememetodu = "AES-128-CBC"; 
    $benimsifrem = "birgul.091!birgul!"; 
    $sifresicozulen = openssl_decrypt($message, $sifrelememetodu, $benimsifrem);
    return $sifresicozulen;
}

The encrypt function will be:

public function encrypt($message){
    $sifrelememetodu = "AES-128-CBC"; 
    $benimsifrem = "birgul.091!birgul!"; 
    $sifresicozulen = openssl_encrypt($message, $sifrelememetodu, $benimsifrem);
    return $sifresicozulen;
}

Please don't advise a fixed IV for CBC mode: [Why is CBC with predictable IV considered insecure against chosen-plaintext attack?](https://crypto.stackexchange.com/q/3883/18298). It must be unpredictable that is more than just random. — kelalaka, May 14 '21 at 17:12

AES-128-CBC algorithm: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended

1 Answers1