Why mysql AES initialization vector length is always limited to 16 bytes, even if I choose aes-256-cbc mode? Shuldn't it be 32 in this case?

Question

I've set block_encryption_mode=aes-256-cbc on my MySQL8.0 server.

The mysql 8.0 manual says:

For modes that require the optional init_vector argument, it must be 16 bytes or longer (bytes in excess of 16 are ignored).

My understanding of CBC mode block cipher is that the initialization vector shoud be as big as the key, i.e. 32 bytes in my case. Wikipedia confirms this:

To initiate this process, an additional input value is required to be mixed with the first block, and which is referred to as an initialization vector. For example, the cipher-block chaining (CBC) mode requires an unpredictable value of the cipher's block size as additional input, ...

I've verified that mysql ignores everything past the 16th byte, with the simple query

SELECT AES_ENCRYPT(UNHEX('0000000000000000000000000000000000000000000000000000000000000000'),UNHEX('0000000000000000000000000000000000000000000000000000000000000000'),UNHEX('0000000000000000000000000000000000000000000000000000000000000000'))

which produces the same result as

SELECT AES_ENCRYPT(UNHEX('0000000000000000000000000000000000000000000000000000000000000000'),UNHEX('0000000000000000000000000000000000000000000000000000000000000000'),UNHEX('0000000000000000000000000000000000000000000000000000000000000001'))

Since Mysql fills with zeroes any missing bytes in the key, I imagine it does the same for the IV.

Doesn't this weaken the encryption? Are you aware of any other AES implementation that forces 128bits IVs, independently of the cipher block size?

Answer 1

AES block size is always 128 bits (16 bytes), but it accepts different key sizes (128/196/256 bits).

BTW, Rijndael can work with 256 bits block sizes, but it is not wide spread.