0

I have to send data from a C# application to a JAVA application. JAVA developers say they have implemented TripleDES (3DES) encryption using CBC mode to decrypt the message coming from other apps. They have provided following information to encrypt a message before sending them.

Encryption: TripleDES (3DES) (Symmetric) Mode: CBC Padding: PKCS5 IV (salt): No IV/salt is used

Please guide me, is there a way to implement CBC mode without an IV/salt? The TripleDES provider in C# generates a random IV (if no IV is set manually) and decryption fails without using an IV.

Ashfaq
  • 3
  • 4
  • 1
    It seems like [this](https://stackoverflow.com/q/12522191/9363973) Q&A already answered your question – MindSwipe May 27 '20 at 05:01
  • But just to reiterate : There is no way to implement CBC mode without an IV, as it requires one by definition – MindSwipe May 27 '20 at 05:04
  • @MindSwipe I have shared this answer with them but they (JAVA devs) are still saying that they are not using any IV/Salt. So I want to confirm this from all aspects. – Ashfaq May 27 '20 at 05:08
  • Can you link to anything showing that they are claiming this? Also, isn't Java open source? So shouldn't you be able to go and verify if they are telling the truth? The Wikipedia article about Cipher Block Chaining (CBC) states that a initialization vectore must be used in the first block ([source](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_(CBC))) – MindSwipe May 27 '20 at 05:23
  • @MindSwipe thanks for your effort. I have already asked them to share the implementation details/library they have used but they are not responding on this. – Ashfaq May 27 '20 at 05:34
  • You can treat the java decryptor as a black box to figure out what they are using as an IV. – President James K. Polk May 27 '20 at 13:56

1 Answers1

2

An IV is crucial to the implementation of CBC - you can't use CBC without an IV, because then it isn't CBC anymore, it is something else.

It is likely that the other development team has used an implementation of CBC that allows implementors to omit the IV, even though under the hood it is randomly generating one or using a zero value for the IV.

To clarify - MindSwipe is correct and the Java developers are incorrect - they just don't realize it because the library they are using is abstracting the requirement away from them.

I suggest explaining the above to the Java developers and asking them to confirm if the IV used is just a zero value e.g. 64 0 bits.

Luke Joshua Park
  • 9,527
  • 5
  • 27
  • 44
  • If I read the question correctly, OP is writing the encryptor and the Java group has written the decryptor. Given the other facts presented, I would guess that the Java side simply takes the first 64 bits of cipher as the IV. – President James K. Polk May 27 '20 at 13:55
  • @PresidentJamesK.Polk This may be the case. I am waiting for their response. – Ashfaq May 28 '20 at 13:28