4

Theoretically, when using a symmetric block cipher in CBC mode, the current block is dependent on the previous block. Suppose one plaintext is encrypted using CBC, and then one bit of it is changed, let's say somewhere in the middle. Then the new ciphertext will change from the middle onward. Would it be better if I used CBC like this?

  1. encrypt plaintext
  2. reverse the ciphertext
  3. continue encrypting (now from finish to start)

That would ensure that one modification to the plain text will change the entire new ciphertext. Right?

Paŭlo Ebermann
  • 22,946
  • 7
  • 82
  • 119
Clau
  • 41
  • 2

3 Answers3

4

Your problem is that if you encrypt two messages which start the same (and change at some point later on) the beginning of the ciphertext will be the same in CBC mode when using the same IV.

Normally you should change the IV every time you encrypt a new message. This is precisely what the IV is meant for - achieving IND-CPA (semantic) security which prevents an attacker from detecting where the the message was changed. Once you do this, your concerns go away, since even two similar messages (say, an old document, and a newer, slightly revised one) will be encrypted with completely different IV's, and hence their ciphertext will be unrelated. And you don't need a two-pass scheme anymore!

Thomas
  • 7,568
  • 1
  • 32
  • 45
1

You need to use different IV for every message you encrypt. Thus rather than the process:

  1. encrypt plaintext
  2. reverse the ciphertext
  3. continue encrypting (now from finish to start)

You need to generate IV each time. I.e.:

  1. generate IV
  2. encrypt the plaintext using the IV
  3. store/send the ciphertext and the materials required to recreate IV

The easiest way choice is to generate random IVs. This will of course require more storage space (ciphertext + 16 bytes).

Some other schemes which deterministically generate IV are allowed. See NIST SP800-38A for recommendations on how CBC mode IV can be generated.

How to use CBC without expanding block

Linux's dm-crypt uses CBC-ESSIV mode, which generates IV on the fly without need for expansion and thus allows to use CBC mode, without requiring more space than the size of plaintext (assuming plaintext size is multiple of AES block size). However, this mode requires significant amount of processing to calculate IV.

(There are also some other ways to use CBC or build mode based on CBC, which does not need to store IV). Common for all such modes and mode variants is: you need to be very careful with such mode to avoid IV reuse does not happen unexpectedly.

For example, one notable situation where IV reuse occurs is when CBC-ESSIV stores the same value to the same block. In some security models this is considered acceptable.

user4982
  • 5,379
  • 21
  • 33
1

It looks like what you are describing is comparable to IGE (Infinite Garble Extension) and especially biIGE mode of encryption.

So I guess my question and the answer on my question here is of relevance.

Community
  • 1
Maarten Bodewes
  • 96,351
  • 14
  • 169
  • 323