Is it recommended that I use an initialization vector to encrypt/decrypt my data? Will it make things more secure? Is it one of those things that need to be evaluated on a case by case basis?
是否建议我使用初始化向量来加密/解密我的数据?它会让事情更安全吗?是否需要根据具体情况进行评估?
To put this into actual context, the Win32 Cryptography function, CryptSetKeyParam allows for the setting of an initialization vector on a key prior to encrypting/decrypting. Other API's also allow for this.
为了将其置于实际上下文中,Win32 Cryptography函数CryptSetKeyParam允许在加密/解密之前在密钥上设置初始化向量。其他API也允许这样做。
What is generally recommended and why?
通常建议什么,为什么?
7 个解决方案
#1
24
An IV is essential when the same key might ever be used to encrypt more than one message.
当相同的密钥可能用于加密多个消息时,IV是必不可少的。
The reason is because, under most encryption modes, two messages encrypted with the same key can be analyzed together. In a simple stream cipher, for instance, XORing two ciphertexts encrypted with the same key results in the XOR of the two messages, from which the plaintext can be easily extracted using traditional cryptanalysis techniques.
原因是,在大多数加密模式下,可以一起分析使用相同密钥加密的两条消息。例如,在简单的流密码中,对使用相同密钥加密的两个密文进行异或运算导致两个消息的XOR,使用传统的密码分析技术可以从中轻松提取明文。
A weak IV is part of what made WEP breakable.
弱IV是使WEP易碎的部分原因。
An IV basically mixes some unique, non-secret data into the key to prevent the same key ever being used twice.
IV基本上将一些独特的非秘密数据混合到密钥中,以防止相同的密钥被使用两次。
#2
8
In most cases you should use IV. Since IV is generated randomly each time, if you encrypt same data twice, encrypted messages are going to be different and it will be impossible for the observer to say if this two messages are the same.
在大多数情况下,您应该使用IV。由于每次都会随机生成IV,如果加密相同的数据两次,加密的消息就会不同,观察者也不可能说这两条消息是否相同。
#3
5
Take a good look at a picture (see below) of CBC mode. You'll quickly realize that an attacker knowing the IV is like the attacker knowing a previous block of ciphertext (and yes they already know plenty of that).
仔细看看CBC模式的图片(见下文)。您很快就会意识到,知道IV的攻击者就像攻击者知道前一块密文一样(是的,他们已经知道了很多这样的密文)。
Here's what I say: most of the "problems" with IV=0 are general problems with block encryption modes when you don't ensure data integrity. You really must ensure integrity.
这就是我所说的:当你不确保数据完整性时,IV = 0的大多数“问题”是块加密模式的一般问题。你真的必须确保诚信。
Here's what I do: use a strong checksum (cryptographic hash or HMAC) and prepend it to your plaintext before encrypting. There's your known first block of ciphertext: it's the IV of the same thing without the checksum, and you need the checksum for a million other reasons.
以下是我的工作:使用强校验和(加密哈希或HMAC)并在加密前将其添加到您的明文中。有你已知的第一个密文块:它是没有校验和的同一个东西的IV,你需要校验和一百万个其他原因。
Finally: any analogy between CBC and stream ciphers is not terribly insightful IMHO.
最后:CBC和流密码之间的任何类比都不是非常有见地的恕我直言。
Just look at the picture of CBC mode, I think you'll be pleasantly surprised.
只要看看CBC模式的图片,我想你会感到惊喜。
Here's a picture:
这是一张图片:
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
#4
2
I found the writeup of HTTP Digest Auth (RFC 2617) very helpful in understanding the use and need for IVs / nonces.
我发现HTTP Digest Auth(RFC 2617)的写法非常有助于理解IVs / nonce的使用和需求。
#5
2
If the same key is used multiple times for multiple different secrets patterns could emerge in the encrypted results. The IV, that should be pseudo random and used only once with each key, is there to obfuscate the result. You should never use the same IV with the same key twice, that would defeat the purpose of it.
如果对于多个不同的秘密多次使用相同的密钥,则可能在加密结果中出现模式。 IV,应该是伪随机的,并且每个密钥只使用一次,可以对结果进行模糊处理。你永远不应该使用相同的四次使用相同的密钥,这会破坏它的目的。
To not have to bother keeping track of the IV the simplest thing is to prepend, or append it, to the resulting encrypted secret. That way you don't have to think much about it. You will then always know that the first or last N bits is the IV.
为了不必去追踪IV,最简单的事情是将前置或附加到生成的加密秘密。这样你就不用多想了。然后,您将始终知道第一个或最后一个N位是IV。
When decrypting the secret you just split out the IV, and then use it together with the key to decrypt the secret.
在解密秘密时,您只需拆分IV,然后将其与密钥一起使用以解密秘密。
#6
1
Is it one of those things that need to be evaluated on a case by case basis?
是否需要根据具体情况进行评估?
Yes, it is. Always read up on the cipher you are using and how it expects its inputs to look. Some ciphers don't use IVs but do require salts to be secure. IVs can be of different lengths. The mode of the cipher can change what the IV is used for (if it is used at all) and, as a result, what properties it needs to be secure (random, unique, incremental?).
是的。始终阅读您正在使用的密码以及它希望其输入看起来如何。有些密码不使用静脉注射,但确实需要使用盐。 IV可以具有不同的长度。密码的模式可以改变IV用于什么(如果它被使用),结果,它需要什么属性安全(随机,唯一,增量?)。
It is generally recommended because most people are used to using AES-256 or similar block ciphers in a mode called 'Cipher Block Chaining'. That's a good, sensible default go-to for a lot of engineering uses and it needs you to have an appropriate (non-repeating) IV. In that instance, it's not optional.
通常建议使用,因为大多数人习惯在称为“密码块链接”的模式下使用AES-256或类似的分组密码。对于许多工程用途来说,这是一个很好的,合理的默认设置,它需要你有一个合适的(非重复的)IV。在那种情况下,它不是可选的。
#7
0
The IV allows for plaintext to be encrypted such that the encrypted text is harder to decrypt for an attacker. Each bit of IV you use will double the possibilities of encrypted text from a given plain text.
IV允许对明文进行加密,使得加密文本更难以为攻击者解密。您使用的每个IV位将使给定纯文本中加密文本的可能性加倍。
For example, let's encrypt 'hello world' using an IV one character long. The IV is randomly selected to be 'x'. The text that is then encrypted is then 'xhello world', which yeilds, say, 'asdfghjkl'. If we encrypt it again, first generate a new IV--say we get 'b' this time--and encrypt like normal (thus encrypting 'bhello world'). This time we get 'qwertyuio'.
例如,让我们使用IV一个字符长加密'hello world'。随机选择IV为'x'。然后加密的文本是'xhello world',例如'asdfghjkl'。如果我们再次加密它,首先生成一个新的IV - 比如我们这次得到'b' - 并且像正常一样加密(从而加密'bhello world')。这次我们得到'qwertyuio'。
The point is that the attacker doesn't know what the IV is and therefore must compute every possible IV for a given plain text to find the matching cipher text. In this way, the IV acts like a password salt. Most commonly, an IV is used with a chaining cipher (either a stream or block cipher). In a chaining block cipher, the result of each block of plain text is fed to the cipher algorithm to find the cipher text for the next block. In this way, each block is chained together.
关键是攻击者不知道IV是什么,因此必须为给定的纯文本计算每个可能的IV以找到匹配的密文。通过这种方式,IV就像密码盐一样。最常见的是,IV与链接密码(流或分组密码)一起使用。在链接块密码中,每个纯文本块的结果被馈送到密码算法以找到下一个块的密文。通过这种方式,每个块链接在一起。
So, if you have a random IV used to encrypt the plain text, how do you decrypt it? Simple. Pass the IV (in plain text) along with your encrypted text. Using our fist example above, the final cipher text would be 'xasdfghjkl' (IV + cipher text).
那么,如果你有一个随机IV用于加密纯文本,你如何解密它?简单。将IV(纯文本)与加密文本一起传递。使用上面的第一个例子,最终的密文将是'xasdfghjkl'(IV +密文)。
Yes you should use an IV, but be sure to choose it properly. Use a good random number source to make it. Don't ever use the same IV twice. And never use a constant IV.
是的你应该使用IV,但一定要正确选择。使用一个好的随机数源来制作它。不要两次使用相同的IV。永远不要使用恒定的IV。
The Wikipedia article on initialization vectors provides a general overview.
Wikipedia关于初始化向量的文章提供了一般概述。
#1
24
An IV is essential when the same key might ever be used to encrypt more than one message.
当相同的密钥可能用于加密多个消息时,IV是必不可少的。
The reason is because, under most encryption modes, two messages encrypted with the same key can be analyzed together. In a simple stream cipher, for instance, XORing two ciphertexts encrypted with the same key results in the XOR of the two messages, from which the plaintext can be easily extracted using traditional cryptanalysis techniques.
原因是,在大多数加密模式下,可以一起分析使用相同密钥加密的两条消息。例如,在简单的流密码中,对使用相同密钥加密的两个密文进行异或运算导致两个消息的XOR,使用传统的密码分析技术可以从中轻松提取明文。
A weak IV is part of what made WEP breakable.
弱IV是使WEP易碎的部分原因。
An IV basically mixes some unique, non-secret data into the key to prevent the same key ever being used twice.
IV基本上将一些独特的非秘密数据混合到密钥中,以防止相同的密钥被使用两次。
#2
8
In most cases you should use IV. Since IV is generated randomly each time, if you encrypt same data twice, encrypted messages are going to be different and it will be impossible for the observer to say if this two messages are the same.
在大多数情况下,您应该使用IV。由于每次都会随机生成IV,如果加密相同的数据两次,加密的消息就会不同,观察者也不可能说这两条消息是否相同。
#3
5
Take a good look at a picture (see below) of CBC mode. You'll quickly realize that an attacker knowing the IV is like the attacker knowing a previous block of ciphertext (and yes they already know plenty of that).
仔细看看CBC模式的图片(见下文)。您很快就会意识到,知道IV的攻击者就像攻击者知道前一块密文一样(是的,他们已经知道了很多这样的密文)。
Here's what I say: most of the "problems" with IV=0 are general problems with block encryption modes when you don't ensure data integrity. You really must ensure integrity.
这就是我所说的:当你不确保数据完整性时,IV = 0的大多数“问题”是块加密模式的一般问题。你真的必须确保诚信。
Here's what I do: use a strong checksum (cryptographic hash or HMAC) and prepend it to your plaintext before encrypting. There's your known first block of ciphertext: it's the IV of the same thing without the checksum, and you need the checksum for a million other reasons.
以下是我的工作:使用强校验和(加密哈希或HMAC)并在加密前将其添加到您的明文中。有你已知的第一个密文块:它是没有校验和的同一个东西的IV,你需要校验和一百万个其他原因。
Finally: any analogy between CBC and stream ciphers is not terribly insightful IMHO.
最后:CBC和流密码之间的任何类比都不是非常有见地的恕我直言。
Just look at the picture of CBC mode, I think you'll be pleasantly surprised.
只要看看CBC模式的图片,我想你会感到惊喜。
Here's a picture:
这是一张图片:
http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
#4
2
I found the writeup of HTTP Digest Auth (RFC 2617) very helpful in understanding the use and need for IVs / nonces.
我发现HTTP Digest Auth(RFC 2617)的写法非常有助于理解IVs / nonce的使用和需求。
#5
2
If the same key is used multiple times for multiple different secrets patterns could emerge in the encrypted results. The IV, that should be pseudo random and used only once with each key, is there to obfuscate the result. You should never use the same IV with the same key twice, that would defeat the purpose of it.
如果对于多个不同的秘密多次使用相同的密钥,则可能在加密结果中出现模式。 IV,应该是伪随机的,并且每个密钥只使用一次,可以对结果进行模糊处理。你永远不应该使用相同的四次使用相同的密钥,这会破坏它的目的。
To not have to bother keeping track of the IV the simplest thing is to prepend, or append it, to the resulting encrypted secret. That way you don't have to think much about it. You will then always know that the first or last N bits is the IV.
为了不必去追踪IV,最简单的事情是将前置或附加到生成的加密秘密。这样你就不用多想了。然后,您将始终知道第一个或最后一个N位是IV。
When decrypting the secret you just split out the IV, and then use it together with the key to decrypt the secret.
在解密秘密时,您只需拆分IV,然后将其与密钥一起使用以解密秘密。
#6
1
Is it one of those things that need to be evaluated on a case by case basis?
是否需要根据具体情况进行评估?
Yes, it is. Always read up on the cipher you are using and how it expects its inputs to look. Some ciphers don't use IVs but do require salts to be secure. IVs can be of different lengths. The mode of the cipher can change what the IV is used for (if it is used at all) and, as a result, what properties it needs to be secure (random, unique, incremental?).
是的。始终阅读您正在使用的密码以及它希望其输入看起来如何。有些密码不使用静脉注射,但确实需要使用盐。 IV可以具有不同的长度。密码的模式可以改变IV用于什么(如果它被使用),结果,它需要什么属性安全(随机,唯一,增量?)。
It is generally recommended because most people are used to using AES-256 or similar block ciphers in a mode called 'Cipher Block Chaining'. That's a good, sensible default go-to for a lot of engineering uses and it needs you to have an appropriate (non-repeating) IV. In that instance, it's not optional.
通常建议使用,因为大多数人习惯在称为“密码块链接”的模式下使用AES-256或类似的分组密码。对于许多工程用途来说,这是一个很好的,合理的默认设置,它需要你有一个合适的(非重复的)IV。在那种情况下,它不是可选的。
#7
0
The IV allows for plaintext to be encrypted such that the encrypted text is harder to decrypt for an attacker. Each bit of IV you use will double the possibilities of encrypted text from a given plain text.
IV允许对明文进行加密,使得加密文本更难以为攻击者解密。您使用的每个IV位将使给定纯文本中加密文本的可能性加倍。
For example, let's encrypt 'hello world' using an IV one character long. The IV is randomly selected to be 'x'. The text that is then encrypted is then 'xhello world', which yeilds, say, 'asdfghjkl'. If we encrypt it again, first generate a new IV--say we get 'b' this time--and encrypt like normal (thus encrypting 'bhello world'). This time we get 'qwertyuio'.
例如,让我们使用IV一个字符长加密'hello world'。随机选择IV为'x'。然后加密的文本是'xhello world',例如'asdfghjkl'。如果我们再次加密它,首先生成一个新的IV - 比如我们这次得到'b' - 并且像正常一样加密(从而加密'bhello world')。这次我们得到'qwertyuio'。
The point is that the attacker doesn't know what the IV is and therefore must compute every possible IV for a given plain text to find the matching cipher text. In this way, the IV acts like a password salt. Most commonly, an IV is used with a chaining cipher (either a stream or block cipher). In a chaining block cipher, the result of each block of plain text is fed to the cipher algorithm to find the cipher text for the next block. In this way, each block is chained together.
关键是攻击者不知道IV是什么,因此必须为给定的纯文本计算每个可能的IV以找到匹配的密文。通过这种方式,IV就像密码盐一样。最常见的是,IV与链接密码(流或分组密码)一起使用。在链接块密码中,每个纯文本块的结果被馈送到密码算法以找到下一个块的密文。通过这种方式,每个块链接在一起。
So, if you have a random IV used to encrypt the plain text, how do you decrypt it? Simple. Pass the IV (in plain text) along with your encrypted text. Using our fist example above, the final cipher text would be 'xasdfghjkl' (IV + cipher text).
那么,如果你有一个随机IV用于加密纯文本,你如何解密它?简单。将IV(纯文本)与加密文本一起传递。使用上面的第一个例子,最终的密文将是'xasdfghjkl'(IV +密文)。
Yes you should use an IV, but be sure to choose it properly. Use a good random number source to make it. Don't ever use the same IV twice. And never use a constant IV.
是的你应该使用IV,但一定要正确选择。使用一个好的随机数源来制作它。不要两次使用相同的IV。永远不要使用恒定的IV。
The Wikipedia article on initialization vectors provides a general overview.
Wikipedia关于初始化向量的文章提供了一般概述。