5

For a stream cipher to be secure against repeated key attacks the IV's should not repeat themselves. But does SecureRandom have a benefit over a simple non-secure Random in that respect (or is it just for generating an unpredictable sequence)?

Assuming I'm using fixed sized messages with AES CBC mode and I generate a new Random for each IV (using the current nano time as seed) does this increase the probability of repeating IV compared to a SecureRandom?

user9397757
  • 73
  • 5
  • NIST published [Special Pub 800-90](http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf) just for these types of problems. You seed a DRBG with entropy from a SecureRandom instance and then use the seeded DRBG to generate IVs. – President James K. Polk Sep 04 '12 at 11:41

4 Answers4

4

The biggest problem with using Random to generate your IV is not that it is likely to repeat, but that an attacker can predict future IVs, and this can be used to attack CBC.

Related: https://crypto.stackexchange.com/q/3515/2805

Community
  • 1
  • 1
finnw
  • 45,253
  • 22
  • 134
  • 212
  • Exactly. You should assume previous IVs are known to the attacker, so you need an RBG that isn't compromised by this. – erickson Sep 03 '12 at 17:48
  • According to that link this only enables chosen plaintext attacks, so as long as I'm encrypting my own internally generated data, Random is good enough. For all other cases, SecureRandom is needed. – user9397757 Sep 04 '12 at 11:51
1

Random uses 48-bit key so it will repeat approx every 2^48 values. It means not every possible long will be generated. That may or may not be random enough for you. If in doubt use SecureRandom, you can always change it later.

Peter Lawrey
  • 498,481
  • 72
  • 700
  • 1,075
  • I would suspect that it is random enough. The key should have been rolled *long* before an attacker has any luck in hunting for common IVs in a 2^48 example space. – Duncan Jones Sep 03 '12 at 14:09
0

Yes, the IV should be fully random. If you don't use a full random, you will likely leak information about the plain text. Don't forget that the random is XOR'ed with the plain text. So if the IV has a predictable structure, you may find repeating cipher texts, and thus leak information the same way that ECB does. This will be even more pronounced if the attacker can influence the plain text to be encrypted.

Maarten Bodewes
  • 80,169
  • 13
  • 121
  • 225
0

An IV i not normally required to be unpredictable, but is needed to be of one time use. What this means is that a simple random number generator that uses a weak seed or has a short period should not be used to generate an IV.

The strongest random number generators in use only generate a few tens of bit of entropy per second. Most algorithms treat the IV as being secondary to the key. So the slow and strong RNG should be reserved to the key and to seeding a fast, long period RNG for the IV.

Lunatic Experimentalist
  • 717
  • 3
  • 7