2

My secret message is encrypted in a byte buffer with AES-128 in CBC mode. The first 16 bytes are the IV and the message follows contiguously. If I want to securely delete this message is it enough to delete (overwrite with random) the IV, the first block, or both?

In an answer to similar post (crypto shredding by erasing the IV instead of the key) it was suggested that if the key and one plain-text block is known then the entire message can be recovered. So it may be better to overwrite the entire secret message...

However, if the secret key has been forgotten decryption is impossible and so the length of the encrypted message is unknown. There may be circumstances where overwriting the entire is undesirable.

Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323
DrPhill
  • 193
  • 7

2 Answers2

3

If I want to securely delete this message is it enough to delete (overwrite with random) the IV, the first block, or both?

No, it's not enough. Not even if you erase both.

(Not unless your message is at most two blocks long, that is.)

Erasing the IV makes the first block of the message undecryptable. Erasing the IV and the first $n$ blocks of ciphertext makes the first $n+1$ blocks undecryptable. In either case, the rest of the message can still be decrypted normally.

For modes other than CBC, the details may vary, but for all commonly used modes the conclusion remains the same: to ensure that no part of the message can be decrypted even if the key is compromised, you will need to erase the entire ciphertext (or the IV and almost all of the ciphertext, at least).

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
1

First of all, When you have the encryption key, deleting the IV in CBC mode can only prevent the decryption of the first block.

\begin{align} p_0 =& Dec_k(c_0) \oplus IV\\ p_i =& Dec_k(c_i) \oplus c_{i-1} \end{align} The rest of the blocks can be decrypted.

Assuming that you have don't have the encryption key anymore (forgotten), the IV is deleted, and we have only the ciphertexts around, then the only attack for AES-128 is cyphertext only attack by brute-force.

To achieve this, one can try all possible keys and try to see meaningful text and decrypt other blocks with the probable key to see that it is continuing. The search space $2^{128}$ is out of reach for near future. If this attack is somehow successful then the lack of IV will prevent only the decryption of the first block. So, as long as AES secure, you can leave it as it is.

Note: to be secure, one needs to prefer shredding as much as possible.

kelalaka
  • 49,797
  • 12
  • 123
  • 211