CWE-1204: Generation of Weak Initialization Vector (IV)

Description

The product uses a cryptographic primitive that uses an Initialization Vector (IV), but the product does not generate IVs that are sufficiently unpredictable or unique according to the expected cryptographic requirements for that primitive.

Submission Date :

March 9, 2021, midnight

Modification Date :

2023-06-29 00:00:00+00:00

Organization :

MITRE

Extended Description

By design, some cryptographic primitives (such as block ciphers) require that IVs must have certain properties for the uniqueness and/or unpredictability of an IV. Primitives may vary in how important these properties are. If these properties are not maintained, e.g. by a bug in the code, then the cryptography may be weakened or broken by attacking the IVs themselves.

Example Vulnerable Codes

Example - 1

The Wired Equivalent Privacy (WEP) protocol used in the 802.11wireless standard only supported 40-bit keys, and the IVs were only 24bits, increasing the chances that the same IV would be reused formultiple messages. The IV was included in plaintext as part of the packet, makingit directly observable to attackers. Only 5000 messages are neededbefore a collision occurs due to the "birthday paradox" [REF-1176]. Someimplementations would reuse the same IV for each packet. This IV reusemade it much easier for attackers to recover plaintext fromtwo packets with the same IV, using well-understood attacks,especially if the plaintext was known for one of the packets [REF-1175].

Example - 2

In the following examples, CBC mode is used when encrypting data:


EVP_CIPHER_CTX ctx;char key[EVP_MAX_KEY_LENGTH];char iv[EVP_MAX_IV_LENGTH];RAND_bytes(key, b);memset(iv,0,EVP_MAX_IV_LENGTH);EVP_EncryptInit(&ctx,EVP_bf_cbc(), key,iv);


0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
byte[] text ="Secret".getBytes();byte[] iv ={};KeyGenerator kg = KeyGenerator.getInstance("DES");kg.init(56);SecretKey key = kg.generateKey();Cipher cipher = Cipher.getInstance("DES/CBC/PKCS5Padding");IvParameterSpec ips = new IvParameterSpec(iv);cipher.init(Cipher.ENCRYPT_MODE, key, ips);return cipher.doFinal(inpBytes);public static void main() {}public class SymmetricCipherTest {}

In both of these examples, the initialization vector (IV) is always a block of zeros. This makes the resulting cipher text much more predictable and susceptible to a dictionary attack.

Related Weaknesses

This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined to give an overview of the different insight to similar items that may exist at higher and lower levels of abstraction.

CWE-329: Generation of Predictable IV with CBC Mode

Go to

CWE-330: Use of Insufficiently Random Values

Go to

Visit http://cwe.mitre.org/ for more details.