Link Search Menu Expand Document
×
Topics

Reused IV-Key Pair

Play SecureFlag Play Labs on this vulnerability with SecureFlag!

  1. Reused IV-Key Pair
    1. Description
    2. Impact
    3. Prevention
    4. Testing
    5. References

Description

In cryptography, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. In fact, in certain encryption schemes the IV is exchanged in public as part of the ciphertext.

Reusing the same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.

Impact

The consequences of reusing the same IV-Key pair depend on the actual cipher and mode used. In the case of Cipher Block Chaining (CBC) and Cipher Feedback (CFB) modes, the leaks of information from the first block and commonalities are enough to lead an empowered attacker to fully compromising the encryption layer of protection in the given system. For Output Feedback (OFB) and Counter (CTR) modes, IV reuse renders encryption practically useless as given two ciphertexts their XOR yields the same result of XOR-ing the two corresponding plaintexts.

Additionally, reusing the same IV-Key pair in encryption may lead to Replay Attacks where an attacker is able to intercept and replay the encrypted message that will be successfully processed by the vulnerable application.

In 1999, the Wired Equivalent Privacy algorithm for 802.11 wireless networks was ratified and implemented as the standard (and only) encryption protocol available in wireless network devices 802.11a and 802.11b for a time prior to the more robust Wi-Fi Protected Access standard was introduced. However, due to the small (24 bit) sized IV implemented in an RC4 stream cipher, researchers in 2001 were able to reconstruct the secret key by examining a sufficient number of ciphertext packets - a cryptanalysis process that was reduced to mere seconds in a fairly short space of time.

Prevention

Preventing attacks leveraging IV-Key Reuse fundamentally boils down to a number of key points:

  • Developers must not use the same Key and IV values for more than one message.
  • Developers must ensure sufficient complexity and uniqueness of the IV.
  • IV generation should be computed by cryptographically robust random number generators.
  • IV generation must not be derived from the secret key.

Testing

Verify that nonces, initialization vectors, and other single use numbers must not be used more than once with a given encryption key. The method of generation must be appropriate for the algorithm being used.

References

CWE - Reusing a Nonce, Key Pair in Encryption

Science Direct - Initialization Vector

Wikipedia - Block Cipher Mode of Operation

Cornell University - Weaknesses in the Key Scheduling Algorithm of RC4