3

I have a question about IV in Rijndael encryption.

My current approach of using Rijndael is to use a pair of static Key and Iv for all encryption operations (I mean I use this pair of Key and Iv for all protected files in my computer).

I heard that IV must be unique for each Rijndael encryption. Is that true? What is the problem (if any) for my current approach of using single static Key and Iv pair?

user774411
  • 1,749
  • 6
  • 28
  • 47
  • Somewhat related: http://en.wikipedia.org/wiki/Related-key_attack – Alix Axel Feb 17 '12 at 22:45
  • Related : https://crypto.stackexchange.com/questions/54980/when-it-is-safe-to-reuse-iv-or-not-using-at-all and if your chaining mode is CBC IV resued is actually CWE-329 https://cwe.mitre.org/data/definitions/329.html – Bruno Rohée Jul 04 '22 at 12:14

2 Answers2

4

If you encrypt the same message twice, you'll get the same results - by varying either the key or the IV, that won't be the case. (Varying the IV is simpler as you can transmit that in plain text; it doesn't involve any sort of secret exchange.)

That means if you reuse the same IV, that can give information to an attacker: if they know the contents of one message, and they see the same encrypted data again, they'll know it's the same message.

So yes, I would vary the IV each time. (And try to avoid using the same key everywhere, ideally... it's like using the same password for multiple web sites: it means if you're compromised in one place, you've lost security everywhere.)

Jon Skeet
  • 1,421,763
  • 867
  • 9,128
  • 9,194
  • But if the *static* key is compromised (and the dynamic IV is transmitted in plain text) the data can be decrypted anyway, right? If so, it seems that it doesn't really matter if the IV is static or not. – Alix Axel Feb 16 '12 at 23:26
  • 1
    @AlixAxel: It doesn't help in that case, but that's not the only attack that's important. If the key itself *isn't* compromised, but one *plaintext* message is, wouldn't you rather like the attacker not to be able to tell if that same plaintext message is sent again later? – Jon Skeet Feb 17 '12 at 20:45
2

The initialization vector initializes the AES engine to a specific state. The main goal of using a dynamic IV is that two consecutive encryptions of the same file won't result in the same encrypted value. To decrypt the file, you also need to initialize the AES engine with this same IV. As a consequence, the IV has to be stored with your encrypted file.

I don't think that the initialization vector will offer much additional security in your use case. It's nice to have it when you're encrypting data that can be subject to dictionnary attacks (passwords on the wire, card numbers, PIN code). For files, it will hardly be possible..

sk_
  • 2,105
  • 17
  • 31