1

I'm testing AES encryption functions from this example. I have found that If I change IV to another random data, just a part of text will become inaccessible, and the other part will decrypt correctly.

This is my code:

    public static string encrypt(string original, string key, string iv)
    {
        string enc;
        // Create a new instance of the RijndaelManaged
        // class.  This generates a new key and initialization 
        // vector (IV).
        // Encrypt the string to an array of bytes.
        byte[] encrypted =EncryptStringToBytes_Aes(original, Convert.FromBase64String(key), Convert.FromBase64String(iv));

        enc = Convert.ToBase64String(encrypted);

        return enc;
    }

    public static string decrypt(string encrypted, string key, string iv)
    {
        string decrypted;

        decrypted = DecryptStringFromBytes_Aes(Convert.FromBase64String(encrypted), Convert.FromBase64String(key), Convert.FromBase64String(iv));

        return decrypted;
    }

And these are my EncryptStringToBytes_Aes and DecryptStringFromBytes_Aes functions.

For example, my input string is Hello, I think Hugo is a great movie!. It will be encrypted to lbMvxzBtu057yeNV5d/5MC7tlau7zfRXMtfLSUOBa7ueMGqRrm23H5uYGLmDcdJ3 with base64ed key gbpldgjBitwQXrQbbyHr+5J0cXADYAm+po8B29rYVJc= and base64ed IV Ti7OcORScdXS/Ll7m1KdeQ==. (I'm getting base64ed key and IVs as input of my functions, and I decode them in my function, as you can see in the code above)

Now if I change IV to m4u5eqD7BZP11P5PYGfV7Q== but do not touch the key, then try to decrypt the encrypted string, I'll give this result: ��f+�T\/]�^h�ugo is a great movie!.

As you see, a part of input string (ugo is a great movie!) was decrypted successfully. Is that usual? If yes, How to prevent this? Is there any other algorithms which are more secure than this? And if no, What is wrong with my code?

Mahdi Ghiasi
  • 14,873
  • 19
  • 71
  • 119
  • Please post the contents of `EncryptStringToBytes_Aes` and `DecryptStringToBytes_Aes`. The link included goes to the Microsoft AesManaged class documentation and not your code. The answer might be related to the block cipher mode you are using but it is hard to tell without that code. – akton Sep 13 '12 at 13:44
  • @akton Question updated. – Mahdi Ghiasi Sep 13 '12 at 13:47
  • Please post the contents of `EncryptStringToBytes_Aes` and `DecryptStringToBytes_Aes`. Using CBC will not cause the behaviour above because the cipher text from the first block using one IV and the same key will not equal the cipher text of the first block using a second IV, meaning the second block decrypts to the same plaintext. Something else is going on. – akton Sep 13 '12 at 13:51
  • @akton Question updated with a link to contents of those functions. – Mahdi Ghiasi Sep 13 '12 at 13:53

1 Answers1

5

If you use CBC, a wrong IV only prevents the decryption of the first block, i.e. the first 16 bytes in the case of AES. That's by design and not a weakness.

See Can CBC ciphertext be decrypted if the key is known, but the IV not? for details of how CBC treats an IV.

Community
  • 1
  • 1
CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Yes, I'm using CBC. But, is there any better CypherMode, So wrong IV prevents decryption of whole string? – Mahdi Ghiasi Sep 13 '12 at 13:47
  • 4
    @MahdiGhiasi Why do you want that property? An IV is not a secret, it typically gets included with your cipher text, so an attacker knows the IV. The purpose of an IV is to be different for each encryption [and unpredictable in the case of CBC], so you can achieve [semantic security](http://en.wikipedia.org/wiki/Semantic_security). – CodesInChaos Sep 13 '12 at 13:47
  • Well, my real problem is this: http://stackoverflow.com/q/11635798/942659 I want to store some passwords in my database, and (as answer of that question said) I'll store IV in database and the Key in web.config... I'm new to cryptography, and I don't know exactly why :) I'm just looking for the safest way to store those passwords in remote database. – Mahdi Ghiasi Sep 13 '12 at 13:51
  • 1
    What do you think? Is there any better way to store those passwords? – Mahdi Ghiasi Sep 13 '12 at 13:54
  • 1
    You could add a MAC, but apart from that, AES CBC is fine. – CodesInChaos Sep 13 '12 at 14:14
  • In my case, I concluded using aes diversified key to encrypt the data...that mean different keys for different cards(UID). – Studuino Sep 14 '12 at 05:57