Reputation: 107
Numbers in initialization vector (IV) are all zeros
I'm having trouble understanding the following sentence : "the numbers in initialization vector (IV) are all zeros (not the ASCII character '0').
My goal is to use openssl enc command to encrypt a file using aes-128-cbc with a key K (let's say 1234567890) and the iv that fulfil such requirements.
So far, I've tried not putting -iv option but it then says "iv undefined" because if option -K is used, option -iv must be provided. I've tried to used -iv 0 but I'me not sure it is the correct one.
For the instance, I used:
openssl enc -aes-128-cbc -e -in input.txt -out output.txt -K 1234567890 -iv 0
Can please you help me illustrate the correct iv that fulfill the above requirements?
Upvotes: 3
Views: 9870
Answers (2)
Reputation: 2537
OpenSSL implementation of AES-CBC requires the IV to be of the same size as the block size - i.e. 128 bit in your case. enc manual page says:
-iv IV
the actual IV to use: this must be represented as a string comprised only of hex digits.
It does not say, how all 128 bits are obtained if the IV, given on the command line, is shorter - as in your example command.
Fortunately source code of OpenSSL is available. We can see in enc.c that the IV is initialized to all zeros, and then the starting bytes are filled from the command-line argument:
[hiv is the value of the command-line option -iv:]
if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) {
BIO_printf(bio_err, "invalid hex iv value\n");
[...]
int set_hex(char *in, unsigned char *out, int size)
{
int i, n;
unsigned char j;
n = strlen(in);
if (n > (size * 2)) {
BIO_printf(bio_err, "hex string is too long\n");
return (0);
}
memset(out, 0, size);
for (i = 0; i < n; i++) {
.......
So, what you are doing - providing just a single zero for '-iv' - happens to produce the all-zeroes IV which you need.
Note that using a constant - and especially "typical", such as all zeros - IV is a bad security practice; Wikipedia article explains why.
Upvotes: 2
Reputation: 2526
For modes CBC, CFB or OFB you need initialization vector, which in length is equal to block size of a specific cipher. For AES you have 128 bits.
You can check your command by using -p, for example:
openssl enc -aes-128-cbc -e -in test.txt -out output.txt -K 1234567812346578 -iv 0 -p
Would give you :
salt=A086E8DE00000000
key=12345678123456781234567812345678
iv =00000000000000000000000000000000
If your key or IV is too short, it will pad it with zeroes till reaching the correct size.
Upvotes: 2
Related Questions
- Use of Initialization Vector in openssl_encrypt
- Openssl ERR_error_string error description returns null
- Need solution for wrong IV length in AES
- C++ vector initialization produces unexpected output
- Use of Initialization Vector in DES
- How do I get the initialization vector (iv) from OpenSSL encrypted data
- what is wrong in my Rijndael that gives me this?
- Why does OpenSSL return 0 even though there's an error?
- Understanding engine initialization in OpenSSL
- C# Can't generate initialization vector IV