[Cryptography] Improving MITRE's description for "CWE-329: Not Using a Random IV with CBC Mode"

Ángel angel at crypto.16bits.net
Thu May 21 22:56:10 EDT 2020

Hello Kevin

I agree with you in that these descriptions should be improved.

You *could* make a dictionary attack if there was no IV, or only a fixed
one, much like you could create one for a hash function with no salt.

However, I don't think that would be the main problem.
The complete opposite of a random IV would be a fixed IV. It is clear
that such scheme would not achieve the probably expected security, as
files with common prefixes would result in encrypted files with common
encrypted prefixes.
If the IV varies, but it is predictable (e.g. a counter), an attacker
with access to an encryption oracle could send requests crafted so that
they undo the IV variation.

There is probably some cryptanalysis made possible by having a weak IV,
although -assuming a strong block cipher- I don't see how that may work.
Which isn't reassuring, given my lack of knowledge on the field :)

The most advanced attack I can think of right now, involving predictable
IVs would be a system that backed up the files of multiple users,
encrypting them separately with the same key but different, predictable,
IV. One of those users which viewed the encrypted output could abuse it
to discover/confirm that a file owned by a different user matches a
candidate plaintext file.

Best regards

More information about the cryptography mailing list