5

I have a site A and site B where site A needs to send sensitive encrypted data to site B for site B to decrypt. I know that its best to encrypt using a randomized cryptographic initialization vector (iv) which is unique to each secret string, but my question is:

Given the transfer is made using https, is it safe to send the iv along with the cipher text? Are there best practices to follow for transfer of the iv?

My understanding is that the iv is part of the beginning of the cipher text so I'm inclined to believe there's no real security threat in having the iv in plain sight.

Thanks!

yekta
  • 3,363
  • 3
  • 35
  • 50
  • So you want an assurance that sending it is ok? Why do you think that this would not be ok? What have you read that you have doubt about its security? – Artjom B. Jun 27 '16 at 17:31
  • 2
    I'm voting to close this question as off-topic because this is not about programming, but [crypto.se]. – Artjom B. Jun 27 '16 at 17:31
  • 1
    It was discussed at length [here](http://crypto.stackexchange.com/q/31760/13022). Be sure to follow the duplicate link. – Artjom B. Jun 27 '16 at 17:32
  • @ArtjomB. I was just looking at exactly that Q. Yes, that's a much more complete answer (and the correct site for the question). – Rob Napier Jun 27 '16 at 17:34
  • Never knew about that site 'till now. Thanks! – yekta Jun 27 '16 at 17:36
  • By convention the iv is prepended to the encrypted data, it is not a secret. – zaph Jun 27 '16 at 17:52

1 Answers1

9

A random IV is not a secret. It is no more sensitive than the ciphertext itself. You can transmit it along with the ciphertext without concern.

The only secret in a properly designed crypto system is the key (and obviously the plaintext). Everything else (IVs, salts, algorithms, padding, everything) is assumed be be known by attackers.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610
  • That is not correct. For some mods of encryption it is more sensible than ciphertext. Sending it in plaintext opens some attack vectors. For example, if the attacker gets single encoded message together with it's plaintext, they may use the unencrypted IV to forge the encrypted message, without knowing the key. See https://stackoverflow.com/questions/59060164/aes-256-encryption-changing-inititialization-vector-slightly-changes-decrypte?rq=1 – Gera Apr 05 '22 at 20:02
  • @Gera You're describing authentication, which is a separate issue. The solution is not to try to hide the IV (which is hopeless, because you still need a way to exchange the IV, which just recurses your problem). The solution is to use an authenticated mode (GCM) or format (CBC+HMAC). The IV should not be secret. If it must be, your crypto-system is broken. As this answer notes, the IV is no more sensitive than the ciphertext itself. Without authentication, the attack you link to is possible against any ciphertext, not just a prepended IV. – Rob Napier Apr 05 '22 at 20:29