CWE Rule 329
Description
Rule Description
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
Polyspace Implementation
The rule checker checks for these issues:
Constant block cipher initialization vector
Missing block cipher initialization vector
Predictable block cipher initialization vector
Examples
This issue occurs when you use a constant for the initialization vector (IV) during encryption.
Using a constant IV is equivalent to not using an IV. Your encrypted data is vulnerable to dictionary attacks.
Block ciphers break your data into blocks of fixed size. Block cipher modes such as CBC (Cipher Block Chaining) protect against dictionary attacks by XOR-ing each block with the encrypted output from the previous block. To protect the first block, these modes use a random initialization vector (IV). If you use a constant IV to encrypt multiple data streams that have a common beginning, your data becomes vulnerable to dictionary attacks.
Produce a random IV by using a strong random number generator.
For a list of random number generators that are cryptographically
weak, see Vulnerable pseudo-random
number generator
.
#include <openssl/evp.h>
#include <stdlib.h>
#define SIZE16 16
/* Using the cryptographic routines */
int func(EVP_CIPHER_CTX *ctx, unsigned char *key){
unsigned char iv[SIZE16] = {'1', '2', '3', '4','5','6','b','8','9',
'1','2','3','4','5','6','7'};
return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1); //Noncompliant
}
In this example, the initialization vector iv
has
constants only. The constant initialization vector makes your cipher
vulnerable to dictionary attacks.
One possible correction is to use a strong random number generator
to produce the initialization vector. The corrected code here uses
the function RAND_bytes
declared in openssl/rand.h
.
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdlib.h>
#define SIZE16 16
/* Using the cryptographic routines */
int func(EVP_CIPHER_CTX *ctx, unsigned char *key){
unsigned char iv[SIZE16];
RAND_bytes(iv, 16);
return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1);
}
This issue occurs when you encrypt or decrypt data using a NULL initialization vector (IV).
Note
You can initialize your cipher context with a NULL initialization vector (IV). However, if your algorithm requires an IV, before the encryption or decryption step, you must associate the cipher context with a non-NULL IV.
Many block cipher modes use an initialization vector (IV) to prevent dictionary attacks. If you use a NULL IV, your encrypted data is vulnerable to such attacks.
Block ciphers break your data into blocks of fixed size. Block cipher modes such as CBC (Cipher Block Chaining) protect against dictionary attacks by XOR-ing each block with the encrypted output from the previous block. To protect the first block, these modes use a random initialization vector (IV). If you use a NULL IV, you get the same ciphertext when encrypting the same plaintext. Your data becomes vulnerable to dictionary attacks.
Before your encryption or decryption steps
ret = EVP_EncryptUpdate(&ctx, out_buf, &out_len, src, len)
ctx
with a non-NULL initialization
vector.ret = EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv)
#include <openssl/evp.h>
#include <stdlib.h>
#define fatal_error() abort()
unsigned char *out_buf;
int out_len;
int func(EVP_CIPHER_CTX *ctx, unsigned char *key, unsigned char *src, int len){
if (key == NULL)
fatal_error();
/* Last argument is initialization vector */
EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, NULL);
/* Update step with NULL initialization vector */
return EVP_EncryptUpdate(ctx, out_buf, &out_len, src, len); //Noncompliant
}
In this example, the initialization vector associated with the
cipher context ctx
is NULL. If you use this context
to encrypt your data, your data is vulnerable to dictionary attacks.
Use a strong random number generator to produce the initialization
vector. The corrected code here uses the function RAND_bytes
declared
in openssl/rand.h
.
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdlib.h>
#define fatal_error() abort()
#define SIZE16 16
unsigned char *out_buf;
int out_len;
int func(EVP_CIPHER_CTX *ctx, unsigned char *key, unsigned char *src, int len){
if (key == NULL)
fatal_error();
unsigned char iv[SIZE16];
RAND_bytes(iv, 16);
/* Last argument is initialization vector */
EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
/* Update step with non-NULL initialization vector */
return EVP_EncryptUpdate(ctx, out_buf, &out_len, src, len);
}
This issue occurs when you use a weak random number generator for the block cipher initialization vector.
If you use a weak random number generator for the initiation vector, your data is vulnerable to dictionary attacks.
Block ciphers break your data into blocks of fixed size. Block cipher modes such as CBC (Cipher Block Chaining) protect against dictionary attacks by XOR-ing each block with the encrypted output from the previous block. To protect the first block, these modes use a random initialization vector (IV). If you use a weak random number generator for your IV, your data becomes vulnerable to dictionary attacks.
Use a strong pseudo-random number generator (PRNG) for the initialization vector. For instance, use:
OS-level PRNG such as
/dev/random
on UNIX® orCryptGenRandom()
on Windows®Application-level PRNG such as Advanced Encryption Standard (AES) in Counter (CTR) mode, HMAC-SHA1, etc.
For a list of random number generators that are cryptographically
weak, see Vulnerable pseudo-random
number generator
.
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdlib.h>
#define SIZE16 16
int func(EVP_CIPHER_CTX *ctx, unsigned char *key){
unsigned char iv[SIZE16];
RAND_pseudo_bytes(iv, 16);
return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1); //Noncompliant
}
In this example, the function RAND_pseudo_bytes
declared
in openssl/rand.h
produces the initialization vector.
The byte sequences that RAND_pseudo_bytes
generates
are not necessarily unpredictable.
Use a strong random number generator to produce the initialization
vector. The corrected code here uses the function RAND_bytes
declared
in openssl/rand.h
.
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <stdlib.h>
#define SIZE16 16
int func(EVP_CIPHER_CTX *ctx, unsigned char *key){
unsigned char iv[SIZE16];
RAND_bytes(iv, 16);
return EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv, 1);
}
Check Information
Category: Others |
Version History
Introduced in R2024a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
웹사이트 선택
번역된 콘텐츠를 보고 지역별 이벤트와 혜택을 살펴보려면 웹사이트를 선택하십시오. 현재 계신 지역에 따라 다음 웹사이트를 권장합니다:
또한 다음 목록에서 웹사이트를 선택하실 수도 있습니다.
사이트 성능 최적화 방법
최고의 사이트 성능을 위해 중국 사이트(중국어 또는 영어)를 선택하십시오. 현재 계신 지역에서는 다른 국가의 MathWorks 사이트 방문이 최적화되지 않았습니다.
미주
- América Latina (Español)
- Canada (English)
- United States (English)
유럽
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)