mcrypt: safe to use a fixed non-binary IV with a good key?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

mcrypt: safe to use a fixed non-binary IV with a good key?

Post by Apollo »

When using mcrypt_encrypt and mcrypt_decrypt with MCRYPT_RIJNDAEL_256 encryption and MCRYPT_MODE_CBC block mode, it needs an IV (Initialization Vector).

The example on php.net shows the creation and usage of a random IV (whereas their example uses EBC block mode which actually doesn't use the IV, so it's kinda misleading). Creating a random IV before encryption doesn't seem very useful to me, as you need the same IV next time when you decrypt earlier encrypted data.

Instead, I use this for ALL my encryption and decryption:

Code: Select all

$fixedIV = md5('hello');
// note that mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC) == strlen($fixedIV)
And the keys I use when encrypting are different for various kinds of data, and not easy to brute force (for example $key="gP6s7m#G2VsLzg1c!SqA9").

Is this safe & secure? I mean, can I rely on just the keys being hard to crack? That is even though my IV is fixed, can be easily brute forced (rainbow tables), and consists of only 32 hexadecimal digits (as opposed to 32 random bytes).
Hannes2k
Forum Contributor
Posts: 102
Joined: Fri Oct 24, 2008 12:22 pm

Re: mcrypt: safe to use a fixed non-binary IV with a good key?

Post by Hannes2k »

Hi,
the IV do not realy increase the security of your algorithm. If you use a random IV, an attacker cannot see if the message you send had already been send earlier.

But: If you use for each encrytion a different key, there won't be any trouble with a fixed IV.


PS:
The common way to share the IV is by setting the IV as the first ciphertext block. (IV | Cipherblock1 | Cipherblock 2 | ...)
So for decryption you read the frist 128 bits (of the first ciphertext block), set it as the IV and then start to decrypt the rest of the message.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: mcrypt: safe to use a fixed non-binary IV with a good key?

Post by Apollo »

Hannes2k wrote:If you use a random IV, an attacker cannot see if the message you send had already been send earlier.
Good point.
The common way to share the IV is by setting the IV as the first ciphertext block. (IV | Cipherblock1 | Cipherblock 2 | ...)
Seems like a good idea.

Thanks!
Post Reply