[Cryptography] Improving MITRE's description for "CWE-329: Not Using a Random IV with CBC Mode"

Jon Callas jon at callas.org
Sun May 24 18:21:53 EDT 2020 

> 
> So, after reading this, I am convinced that either I do not understand what cryptographers mean by a "dictionary attack" or MITRE doesn't.

You're pretty much right. This is an awkward assessment.

If we look at CBC mode, it's simple. We take the IV, XOR it onto the plaintext, and then encrypt that. The result is both the output and the IV for the next block. Lather, rinse, repeat. Let's also assume the key is just fine.

If the initial IV is zero, then, yes, that first block is essentially ECB mode. On the other hand, the output is completely unpredictable -- predicting it is an attack on the underlying block cipher. If we never reuse keys, there's not a lot of place for an attacker to get a foothold.

And yet, it is a flaw. In the immortal words of Bob the Angry Flower, "No! Wrong! Totally Wrong! Where'd you learn this? Stop doing it!"

Your intuition isn't bad. The comment about dictionary attacks is maddeningly off-base. A single encryption with a random key and sucky IV is still pretty secure. Nonetheless, don't do that.

I can think of examples where there might be a problem. For example, let's suppose we had a disk drive with 512-byte blocks and we used the block number as the IV. In this, we have *related* IVs, and it's not hard to think that there'd be a case where (Block_i \xor i) is equal to (Block_j \xor j) and that we could detect from the ciphertext. Moreover, since i and j are known, we learn something interesting about that first cipher block of plain text in the disk blocks. I can imagine some pathological cases, too -- suppose the first plaintext was a counter of the same size as the cipher block. In this case, the first cipher text would be the same in every block. It would also leak any time where the second plaintext block in two blocks were the same (and cascading onward). This could even be a surprise, because the people doing the plaintext data layout would never have considered that the crypto people would have done something as gawd-awful stupid as using the block number as an IV. 

Note, though, that we're still not leaking any (much?) plaintext, and hard to characterize how bad the flaw is. In all the cases where there are identical plaintext, we get identical ciphertext. If we know (or can guess) the plaintext, then there's the possibility we can extend this onward. A number of the flaws found in TLS's use of CBC mode, we get something like this happening. And yet, I'm flailing over here. The problem here is more like handling a knife unsafely. Someone's going to get hurt, and after the fact it's going to be clear what happened and everyone's going to feel really stupid. Hence the wise advice of Bob.

So as bad as that explanation is, it's kinda the equivalent of, "You're going to put someone's eye out!" when in fact they're more likely to lop off a finger, yet more likely just need a few stitches. Lots of safety advice is like that.

	Jon

More information about the cryptography mailing list