This entry was triggered by this question. Someone asked how to use AES, and we got 2 sample classes that do it wrong. The flaw in both was that they shared the IV which means your ciphertext will can leak information. One answerer didn't believe me at first, but then got it and deleted his code. The other person got offended and said IVs, performing authentication, etc. are all "corner cases" and any problem is "contrived". So, I'm going to provide a bit of code and show two problems that arise from not generating a unique IV for each message and not authenticating the decrypted data.
First, I wrote this a while ago: What is an IV?. That describes what an IV is, and why you need a unique one for each message. Wikipedia also has good information on this. Now for the demo. I used the code at the bottom, but removed the hashing and random IV from the code. So it's just encrypting the with the same key and IV for each message -- very straightforward. Here are the messages and their ciphertext:
"Alice; Bob; Eve;: PerformAct1""Alice; Bob; Eve;: PerformAct2"
tZfHJSFTXYX8V38AqEfYVXU5Dl/meUVAond70yIKGHY= tZfHJSFTXYX8V38AqEfYVcf9a3U8vIEk1LuqGEyRZXM=
Notice how the first block of ciphertext is the same? All messages starting with "Alice; Bob; Eve;" will have that same first block. That means an attacker, after getting this ciphertext once, now knows if any message is addressed the same way. Very, very straightforward, basic attack. Now, maybe for a specific implementation you have in mind, this is not an issue. But it's still improperly implemented cryptography.
For the next attack, we're going to show that even with a random IV, you need to authenticate your decrypted messages. This code generates a 64-bit integer and encrypts it with AES and a random key/IV. Then, it starts changing bytes until the decrypt succeeds. Presto: the attacker was able to present a completely different value, and the decryption was successful.
public static void Main() { var buff = new byte[8]; new Random().NextBytes(buff); var v = BitConverter.ToUInt64(buff, 0); Console.WriteLine("Value: " + v.ToString()); Console.WriteLine("Value (bytes): " + BitConverter.ToString(BitConverter.GetBytes(v))); var aes = Aes.Create(); aes.GenerateIV(); aes.GenerateKey(); var encBytes = aes.CreateEncryptor().TransformFinalBlock(BitConverter.GetBytes(v), 0, 8); Console.WriteLine("Encrypted: " + BitConverter.ToString(encBytes)); var dec = aes.CreateDecryptor(); Console.WriteLine("Decrypted: " + BitConverter.ToUInt64(dec.TransformFinalBlock(encBytes, 0, encBytes.Length), 0)); for (int i = 0; i < 8; i++) { for (int x = 0; x < 250; x++) { encBytes[i]++; try { Console.WriteLine("Attacked: " + BitConverter.ToUInt64(dec.TransformFinalBlock(encBytes, 0, encBytes.Length), 0)); return; } catch { } } }}
Here's an example run:
Value: 5686260040031435365Value (bytes): 65-7A-92-1A-61-A7-E9-4EEncrypted: F4-62-AC-02-2D-7D-43-6A-4D-97-68-4D-95-9F-8A-DFDecrypted: 5686260040031435365Attacked: 1603329786558177755
Since there's no authentication of the decrypted data, an attacker can just play with the ciphertext until it generates an acceptable value. Perhaps you have other mitigations in your implementation/application for this, but why rely on that?
Here's some demo code (I haven't tested it much, so it might have some major issues -- but not by design AFAIK). Note this just shows performing an encryption operation, including the IV in the message, and verifying the decrypted bytes. Other things like replay attacks are not considered. If you're trying to learn how to use crypto so you can drop it into an application, STOP, then go read enough to understand what you're doing and the implications for your particular application.
aesdemo.cs.txt (4.38 KB)
Remember Me