Geek Answers Handbook

Using the initial vector (IV) mode

from what I know, CTR mode does not use the start vector. It just takes the counter, encrypts it with the given key, and then XOR returns the result in clear text to get the encrypted text.

Other block encryption modes, such as CBC, before performing encryption, they are XOR plaintext with an initial vector.

So here is my problem. I have the following Java code (using the bouncycastle library):

Cipher cipher = Cipher.getInstance("AES/CTR/PKCS5Padding", "BC"); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] result = cipher.doFinal("Some plaintext");

Each different call to the above code with the same key gives an excellent result! But on execution:

 byte[] IV = new byte[]{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; Cipher cipher = Cipher.getInstance("AES/CTR/PKCS5Padding", "BC"); cipher.init(Cipher.ENCRYPT_MODE, key, IV); byte[] result = cipher.doFinal("Some plaintext");

I accept the same result in every call to the above code. But why is that? I mean, CTR does not need an IV, so why, when I do not give IV in each call, I get a different result, and when I give IV, it returns the same result? If I always use the above IV (all zeros) when using CTR, will it be safe?

Any ideas would be very helpful. Thanks you

+7
source share
3 answers

The caveat most important with CTR mode is that you never, never use the same counter value with the same key. If you do, you will truly give away your plaintext.

To help with this, in some realistic realities of the CTR mode, the block to be transferred to the block cipher is split into two parts, designated as IV and counter (instead of calling it all a counter), IV is randomly generated, and the counter starts with 0.

This allows you to run the "counter" part to zero for multiple messages if you will never reuse the "IV" part.

Please note that this is just a labeling agreement. Mathematically, this is the same as invoking the entire β€œcounter” and starting the counter with a random multiple of some integer for each message.

I don’t know how exactly the Bouncy Castle implementation works - perhaps you can set the entire start block, counter and all using the value IV . Apparently, it creates a reasonable IV for you if you do not supply it, so you get different results with the same input. The bottom line is that this is good, and exactly what you want - supplying all zeros - is bad, not what you want.

+5
source

CTR works by encrypting sequential counter values. The first value for this sequence is IV (IV means "initial value" ...). So CTR really uses IV.

If you use CTR mode with the same key and can reuse the counter value that you already used for some other encryption (with the same key), then you get the infamous two-time keyboard, and security went down. In particular, using fixed IV for all messages is a sure recipe for disaster.

An β€œeasy” way to avoid counter repetition is to always choose an IV with a cryptographically protected random number generator (I think β€œ java.security.SecureRandom ”) among the many possible IVs, that is, all 16-byte sequences. This space is large enough that your risk of reusing the counter value at some point can be neglected.

To be complete, a fixed IV is acceptable if you make sure that you use this key only once. Security problems arise when reusing the same counter value with the same key. However, having a new key for each message is at least as complex as having a new IV for each message.

+2
source

CTR mode uses what is essentially equivalent to IV, and this is the initial value of the counter.

0
source

More articles:


All Articles