Skip to content

CBC-IV-Detection

Introduction:

In this section we will look into retrieving the Initialisation-Vector(IV) from a CBC encryption/decryption oracle.

As discussed earlier (did we already discuss this?), Initialization Vector (IV) is an arbitrary block of data that is used in chained modes of block cipher implementations. In AES Cipher Block Chaining mode, the previous block of ciphertext is xored with the input in the new block. However, a randomly generated IV is used for the first block.

Using different IV also helps to ensure the ciphertext is different even in cases where the message and the key is the same. In general practice, IV is transmitted in plain, along with the ciphertext to aid the decryption process.

Attack:

Consider a scenario where we have a CBC encryption/decryption service. Here we only have control over the input supplied and the output of the oracle. In this setup, a constant IV is used inside the service and is not used revealed to the user.

Suppose we send an input of length >=32 bytes, along with padding the length of the input becomes 48 (3 blocks given blocklength is 16). Now the oracle encrypts the plaintext giving out 3 blocks of ciphertext. (Note:length of plaintext and ciphertext will be equal).Take a look at the following diagram to get more clarity on this.

CBC-encryption

Have you wondered why we are giving input thrice the length of the blocklength? Buckle up we are gonna see that soon! Before that let us take a look into the decryption part too.

CBC-decryption

Now we can write down the plaintext as follows: p1 = D(c1) xor iv p2 = D(c2) xor c1 p3 = D(c3) xor c2

Note:p1,p2,p3 are 1st 2nd and 3rd block of the plaintext respectively

When c3 = c1 and c2 is an empty block, i.e. c2 = "\x00"*blocksize, then

1
2
3
p1 = D(c1) xor iv
p2 = D("\x00"*blocksize) xor c1
p3 = D(c3 = c1) xor "\x00"*blocksize = D(c1)

Now its time to retrieve the IV.It is evident from the above lines that p1 xor p3 gives us the IV (Remember anything xored with itself just cancels out). Also you can clearly see that we are making use of the three blocks of ciphertext to get back the IV thus justifying our choice of input length.Now get going and master the next topic :)