c++encryptionopensslaesblock-cipher

What is the default IV when encrypting with aes_256_cbc cipher?


I've generated a random 256 bit symmetric key, in a file, to use for encrypting some data using the OpenSSL command line which I need to decrypt later programmatically using the OpenSSL library. I'm not having success, and I think the problem might be in the initialization vector I'm using (or not using).

I encrypt the data using this command:

/usr/bin/openssl enc -aes-256-cbc -salt -in input_filename -out output_filename -pass file:keyfile

I'm using the following call to initialize the decrypting of the data:

EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), nullptr, keyfile.data(), nullptr))

keyfile is a vector<unsigned char> that holds the 32 bytes of the key. My question is regarding that last parameter. It's supposed to be an initialization vector to the cipher algorithm. I didn't specify an IV when encrypting, so some default must have been used.

Does passing nullptr for that parameter mean "use the default"? Is the default null, and nothing is added to the first cipher block?

I should mention that I'm able to decrypt from the command line without supplying an IV.


Solution

  • What is the default IV when encrypting with EVP_aes_256_cbc() [sic] cipher...

    Does passing nullptr for that parameter mean "use the default"? Is the default null, and nothing is added to the first cipher block?

    There is none. You have to supply it. For completeness, the IV should be non-predictable.

    Non-Predictable is slightly different than both Unique and Random. For example, SSLv3 used to use the last block of ciphertext for the next block's IV. It was Unique, but it was neither Random nor Non-Predictable, and it made SSLv3 vulnerable to chosen plaintext attacks.

    Other libraries do clever things like provide a null vector (a string of 0's). Their attackers thank them for it. Also see Why is using a Non-Random IV with CBC Mode a vulnerability? on Stack Overflow and Is AES in CBC mode secure if a known and/or fixed IV is used? on Crypto.SE.


    /usr/bin/openssl enc -aes-256-cbc...

    I should mention that I'm able to decrypt from the command line without supplying an IV.

    OpenSSL uses an internal mashup/key derivation function which takes the password, and derives a key and iv. Its called EVP_BytesToKey, and you can read about it in the man pages. The man pages also say:

    If the total key and IV length is less than the digest length and MD5 is used then the derivation algorithm is compatible with PKCS#5 v1.5 otherwise a non standard extension is used to derive the extra data.

    There are plenty of examples of EVP_BytesToKey once you know what to look for. Openssl password to key is one in C. How to decrypt file in Java encrypted with openssl command using AES in one in Java.


    EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), nullptr, keyfile.data(), nullptr))

    I didn't specify an IV when encrypting, so some default must have been used.

    Check your return values. A call should have failed somewhere along the path. Maybe not at EVP_DecryptInit_ex, but surely before EVP_DecryptFinal.

    If its not failing, then please file a bug report.