Home > aes > Decryption on AES when the same key and IV are used

Decryption on AES when the same key and IV are used

October 10Hits:2

Let's say that I have three messages being encrypted by AES-128 with the same key and IV every time. Is it possible to decrypt the key being used? And more importantly, is it possible to decrypt the plaint text of those messages?


What happens here depends on the mode of operation. As a basic rule, knowledge of the messages will not allow you to recompute the key itself, but it may give you enough information to (instantly) crack any other message encrypted with the same key and IV.

With CTR mode, a key-dependent stream is produced by encrypted the successive values of a counter, and the counter starts at the value given in the IV. The actual data encryption is performed by XORing this stream with the data to encrypt. If the same key and IV are used, then you get the same stream, so you are in the conditions of the (in)famous two-times pad. Without knowing the key, you can still compute the XOR of any two messages, which is often enough to crack them, by exploiting their internal structure. Once one of the messages is known, this reveals the key-dependent stream (up to the message length) and this allows for immediate decryption of any other message (up to that length) encrypted with the same key+IV.

OFB mode is in a similar situation: it produces a key-dependent pseudo-random stream. So it can be broken with the same level of ease as CTR.

With CBC mode, things are a bit harder for the attacker. If the messages start with the same bytes, then you will be able to see it. After the first distinct bytes, decryption becomes much harder. This is because, in effect, each block in CBC encryption is used as IV for the remainder of the message, and encryption of data with a block cipher tends to produce properly distributed IV for CBC. Generically, CBC requires a uniformly random IV which is unpredictable by the attacker, but in your situation you envision a passive-only attacker, and against such an adversary, an IV selected by encrypted a known data block is good enough for CBC, as long as the IV source is not reused; this is what you obtain with your messages, beginning with the first block at which the messages differ.

CFB mode is somewhere in between. If two messages begin with the same n bytes, then the encrypted messages will begin with the same n bytes too; then, for the remainder of the block containing the n+1-th byte, this is two-times pad. For the subsequent bytes, the streams have forked and attacker's power stops.

Important: though the paragraphs above seem to indicate that CBC or CFB would be safe for key+IV reuse as long as you include a counter in the header of each message, remember that this is for a passive attacker only. In many (most) scenarios, the attacker can be also embed a bit of data of his own in the messages which are to be encrypted, and/or alter the encrypted bytes and see what happens when they are decrypted. For these scenarios, which are realistic (many recent attacks again SSL are all about that), IV reuse, and even predictable IV selection (with CBC), are hopelessly weak. Do not reuse IV.

The only situation where a fixed IV is fine is when keys are never reused, i.e. each key is used for a single message only. This is, in practice, harder to obtain than a new per-message IV, because keys must be kept confidential: it is already challenging to have a key which is known by both the sender and the receiver, but by nobody else. At least, IV do not have this confidentiality requirement, and thus can be transmitted along with the message itself.

Using the same IV and key for more than one message doesn't jeopardize the key but it does make it easier for an attacker to obtain the plain-text. How it does so depends on the mode of operation used.

If the mode of operation is a stream cipher (such as Counter mode or OFB) then using the same IV and key for two message is like using the same "one time pad" for two messages - the attacker can obtain a XOR of the messages by simply XORing the encrypted messages. This is should be enough information for a competent attacker to obtain the clear messages. For more details see Taking advantage of one-time pad key reuse?.

But even if the mode of operation is not a stream cipher (e.g. CBC) reusing the same IV and key will leak information about the messages - for example, if they start with the same data.

So the rule is - don't reuse IVs.


Related Articles

  • Decryption on AES when the same key and IV are usedOctober 10

    Let's say that I have three messages being encrypted by AES-128 with the same key and IV every time. Is it possible to decrypt the key being used? And more importantly, is it possible to decrypt the plaint text of those messages? --------------Soluti

  • Storing AES encrypted RSA private keys on a serverNovember 11

    I'm thinking about creating an encrypted messaging web application where users create RSA key pairs, they store the public key on the server for others to see and also store an AES encrypted private key on the server. Thus, to verify their identity,

  • computational complexity class of decryption of AES June 6

    I haven't really seen what computational complexity class of decryption of AES is. Can anyone provide reference papers or answers here? --------------Solutions------------- The time of AES encryption/decryption in any of the standard modes like CBC o

  • Encrypt and Decrypt with AES ECB mode 'BadPaddingException' in some casesJanuary 21

    In android/java app public static void setKey(String myKey) { MessageDigest sha = null; try { key = new byte[]{(byte) '5', (byte) 'F', (byte) '8', (byte) 'p', (byte) 'J', (byte) 't', (byte) 'v', (byte) 'U', (byte) 'm', (byte) 'q', (byte) 'k', (byte)

  • Help with AES decryption with AES-NI InstructionsFebruary 1

    I am in process of implementing a AES 128 encryption in AVX2 assembly (using AES NI), and am having some problems with decryption logic. I have implemented the encryption sequence without any trouble. However, decryption has been giving many problems

  • How and why can a decryption program tell me that a key is incorrect?January 6

    I have noticed that some programs used for file encryption will tell you if an entered key is wrong when you try to decrypt. It seems (to me at least) that this would mean that the key somehow is written into the encrypted file. And the algorithms th

  • Is there symmetric encryption like AES or Camelia with keys longer than 256 bits?September 13

    I am wondering if is there any (secure!) cipher like AES or Camelia with keys longer than 256 bits (and offering higher security than 256 bits). I have not found anything except http://www.ciphers.de/eng/index.html where they say they have such ciphe

  • Are AES-256's related-key weaknesses exploitable if it is used to build a hash?

    Are AES-256's related-key weaknesses exploitable if it is used to build a hash?April 14

    Assume it is made a hash based on AES-256 encryption (perhaps because this is hardware-accelerated, but no standard hash is); and it is used the Merkle–Damgård structure, that is padding of the message into $n$ padded message blocks $M_i$ (appending

  • AES-128 with weak keySeptember 21

    Doing malware research (simple crypto locker) I found out that it uses AES-128 with weak key - every one of the sixteen bytes is represented by (a-z,A-Z,0-9). Thus simple brute-force attack should iterate through $62^{16}$, that is approximately $2^{

  • File Encryption and Decryption using AESFebruary 5

    First of all I'm totally new on cryptography, but I need to develop a program to encrypt and decrypt files. I want to use AES for encryption and decryption. My first idea was read the entire file in a string then encrypt the file and later decrypt th

  • How to decrypt a file given the encryption key and the file but not the algorithm?October 4

    I am trying to backup some files that have been encrypted by a 3rd party solution we use in work. I would like to back them up in their unencrypted state as our backup solution has robust encryption option. It's also worth noting that the files do no

  • Asymmetric crypto: Decrypt own messages without having private keyAugust 15

    I have built a messages system for my website. Users can send the admin messages which are stored in the DB after being AES-encrypted. I think that using asymmetric crypto (RSA through openssl) would be more secure: no decryption key to hardcode in p

  • Validating successful decryption in AESFebruary 20

    I have a program which uses AES-256 in CBC mode to encrypt and decrypt files. As I have quickly realized, AES will even use an incorrect passphrase to decrypt data, which leaves me with no way to validate whether the passphrase was correct or not and

  • AES encryption with multiple keysMay 29

    I would like to encrypt some data using a combination of multiple keys. There would be two keys: a client keys that would be generated for each client and a single server/application key used by everyone. The idea is to be able to encrypt/decrypt the

  • How to break AES/CBC/PKCS5 when key and IV are reused?November 21

    I'm doing a code review for a crypto solution that reuses the same key with a constant IV. I want to demonstrate that this is not the right way to do things by figuring out the key and decrypting all of their test data. I have access to lots of ciphe

  • How does encryption/decryption work when one generate random key?March 8

    I am new to this and want to ask a basic question. Suppose I used my password (say "ABC123") to generate a key using the PBKDF2 algorithm (or any such algorithm). For encrypting a file I'll input my password and a key will be generated. This key

  • How to decrypt LUKS with the known master key?March 15

    From: https://code.google.com/p/cryptsetup/wiki/FrequentlyAskedQuestions CLONING/IMAGING: If you clone or image a LUKS container, you make a copy of the LUKS header and the master key will stay the same! That means that if you distribute an image to

  • What's the point of a Meet In The Middle attack using i.e. double AES with throw-away keys?August 27

    What's the point of a Meet In The Middle attack while using, for example, a double AES encryption and using one time keys? You can recover the keys for a secret message already known and you can't use those keys to retrieve other secret messages. So

  • Using AES with a hex key/iv, what mode of operation is the "most secure"October 13

    I realize that is a loaded question, but it is not an unreasonable one. given a hex key/iv, what mode of operation is most secure from offline attacks. I defaulted to aes-128-cbc. Partly because of schneier's 128 > 256 article. cbc because friends do

  • mutt, smime, decrypt with one of two different keysNovember 17

    This is an odd one. We want to have an encrypted e-mail list. There are a few ways to do this, but in the interim what we've done is created a public/private keypair via openssl for our e-mail list ([email protected]) and then distributed the public/priva

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.650 s.