I'm playing around with DES encryption using CBC mode, and I came across something puzzling. I have a payload (not generated by me, but for which I know the key), accompanied by an IV, as well as a salt, which is meant to be XOR'd with the IV. On my first attempt to decrypt this payload, I found that bytes 3-7 of the plaintext were garbage, but the rest of the plaintext appeared correct. Eventually I discovered that I had failed to mix in the salt. The first 3 bytes of the salt happened to be 0, which explained why the first 3 bytes of the plaintext matched what I expected, but what I can't understand is why the incorrect IV had no impact on bytes 8 through the end of the payload. I found that I could set both the IV and the salt to any value (including all zeros), and still, only the first block (8 bytes) was impacted.
Seeing as this is all highly non-sensitive stuff (i.e. me fiddling around with SNMPv3 on a very out-dated Cisco switch on my local network with a one-word lowercase password, not to mention it doesn't even support AES), I feel no qualms sharing the following with you:
#include <stdio.h>
#include <openssl/des.h>
int main()
{
DES_key_schedule key;
DES_cblock privKey = { 0xc8, 0x13, 0x1b, 0xf0, 0x41, 0xf8, 0xae, 0xef };
DES_cblock iv = { 0xb5, 0xed, 0x65, 0x57, 0x7c, 0x99, 0x54, 0xe4 };
DES_cblock salt = { 0x00, 0x00, 0x00, 0x10, 0x63, 0xc6, 0x01, 0x82 };
const uint8_t cipher[] = {
0xc7, 0xf5, 0x53, 0xe5, 0xb3, 0x8a, 0x19, 0x8b,
0x03, 0xde, 0x49, 0xbb, 0x47, 0x38, 0x73, 0xb7,
0x96, 0x24, 0xa3, 0xba, 0x3a, 0x28, 0x79, 0x16,
0x8b, 0xe4, 0xbf, 0xb6, 0xfc, 0xc2, 0x86, 0xc7,
0x8f, 0x1e, 0x0c, 0x87, 0x53, 0xbe, 0xfc, 0x0a,
0xcd, 0x6a, 0x1a, 0xb3, 0xaa, 0x44, 0xcc, 0xb1,
0xc0, 0x5e, 0xe0, 0x98, 0x33, 0x26, 0x4b, 0xc4,
0x73, 0xa2, 0x93, 0x72, 0x86, 0x5e, 0xd0, 0xdf,
0x4f, 0x7f, 0x53, 0x92, 0xb5, 0xd6, 0x54, 0x16,
0x18, 0x55, 0xe6, 0xc7, 0xb0, 0x6f, 0x6b, 0xa7,
0x53, 0x13, 0x4a, 0x66, 0xc8, 0x65, 0xbf, 0x18,
0x2d, 0x00, 0x1c, 0xe5, 0x2e, 0xbc, 0xb2, 0x7f,
0x76, 0x03, 0x46, 0xaf, 0xac, 0xf7, 0xb3, 0x47,
0xbe, 0x09, 0xcc, 0x78, 0x9b, 0xf7, 0xae, 0x8f,
0x1f, 0xb7, 0xbb, 0xe6, 0x4f, 0x3a, 0xad, 0xdc,
0x5d, 0xde, 0xb4, 0x68, 0x4d, 0x5a, 0x68, 0x59,
0xa3, 0xc5, 0x33, 0x88, 0xad, 0x67, 0xa7, 0x2c,
0x7a, 0xe0, 0x45, 0x37, 0x41, 0x2d, 0x5d, 0xeb,
0x59, 0x20, 0xd1, 0x3e, 0x5f, 0x8b, 0x12, 0xb0,
0xcd, 0x1d, 0xd5, 0xf0, 0x1a, 0xe7, 0x64, 0x41,
0x37, 0xc1, 0xd1, 0x0c, 0x23, 0xc9, 0x90, 0x32,
0xf8, 0x21, 0xb9, 0xd6, 0x0e, 0x0e, 0x78, 0x2d,
0xf0, 0x79, 0x8c, 0x2c, 0x44, 0x04, 0x10, 0x48,
0xd7, 0xdb, 0x4c, 0xe5, 0xeb, 0x40, 0xb4, 0x4a,
0xa9, 0xb5, 0xf7, 0xa6, 0xce, 0x06, 0x28, 0xf4,
0xac, 0x99, 0xf8, 0x01, 0x88, 0xde, 0xb8, 0x75,
0x11, 0xb6, 0x2c, 0x87, 0x22, 0x8e, 0xfe, 0x3e,
0x0b, 0x7b, 0x15, 0xaa, 0xed, 0x1d, 0xaf, 0xfa,
0x88, 0x96, 0xd2, 0x8f, 0x57, 0xf8, 0xcd, 0xf6,
0x14, 0x7c, 0xbf, 0x69, 0x3d, 0x3e, 0x61, 0x2c,
0xb8, 0x01, 0x5a, 0x8a, 0x6a, 0xb1, 0x58, 0x0f,
0xa7, 0xd7, 0xc7, 0x5b, 0xe0, 0x0b, 0x3f, 0x05,
0x88, 0x85, 0xbb, 0xea, 0x82, 0x3e, 0x6f, 0xf4,
0xb7, 0x52, 0x4c, 0xc4, 0xea, 0x51, 0xfd, 0xb6,
0xc4, 0x5b, 0x65, 0x2e, 0xac, 0x29, 0x3c, 0x19,
0x40, 0x08, 0x5d, 0xa7, 0xad, 0xa8, 0x8c, 0x61,
0x78, 0xaa, 0xc4, 0xa2, 0x38, 0x72, 0x45, 0x84,
0x3d, 0x94, 0x8c, 0xa3, 0xba, 0x88, 0xf4, 0x79,
0x0a, 0x87, 0xc6, 0xe9, 0xd3, 0x0e, 0xd0, 0xd0
};
uint8_t plain[sizeof(cipher)];
int i;
for (i = 0; i < sizeof(DES_cblock); i++) {
iv[i] ^= salt[i];
}
DES_set_odd_parity(&privKey);
DES_set_key_unchecked(&privKey, &key);
DES_ncbc_encrypt(cipher, plain, sizeof(cipher), &key, &iv, DES_DECRYPT);
for (i = 0; i < sizeof(plain); i++) {
if (i) {
putchar(i % 8 ? ' ' : '\n');
}
printf("0x%02x", plain[i]);
}
putchar('\n');
}
To compile:
gcc -o main main.c -lcrypto
Running ./main
produces the following output:
0x30 0x82 0x01 0x34 0x04 0x0c 0x80 0x00
0x00 0x09 0x03 0x00 0x00 0x24 0x13 0x70
0xb2 0xc1 0x04 0x00 0xa2 0x82 0x01 0x20
0x02 0x04 0x75 0xd7 0x16 0x29 0x02 0x01
0x00 0x02 0x01 0x00 0x30 0x82 0x01 0x10
0x30 0x82 0x01 0x0c 0x06 0x08 0x2b 0x06
0x01 0x02 0x01 0x01 0x01 0x00 0x04 0x81
0xff 0x43 0x69 0x73 0x63 0x6f 0x20 0x49
0x6e 0x74 0x65 0x72 0x6e 0x65 0x74 0x77
0x6f 0x72 0x6b 0x20 0x4f 0x70 0x65 0x72
0x61 0x74 0x69 0x6e 0x67 0x20 0x53 0x79
0x73 0x74 0x65 0x6d 0x20 0x53 0x6f 0x66
0x74 0x77 0x61 0x72 0x65 0x20 0x0d 0x0a
0x49 0x4f 0x53 0x20 0x28 0x74 0x6d 0x29
0x20 0x43 0x32 0x39 0x34 0x30 0x20 0x53
0x6f 0x66 0x74 0x77 0x61 0x72 0x65 0x20
0x28 0x43 0x32 0x39 0x34 0x30 0x2d 0x49
0x36 0x4b 0x32 0x4c 0x32 0x51 0x34 0x2d
0x4d 0x29 0x2c 0x20 0x56 0x65 0x72 0x73
0x69 0x6f 0x6e 0x20 0x31 0x32 0x2e 0x31
0x28 0x32 0x32 0x29 0x45 0x41 0x31 0x33
0x2c 0x20 0x52 0x45 0x4c 0x45 0x41 0x53
0x45 0x20 0x53 0x4f 0x46 0x54 0x57 0x41
0x52 0x45 0x20 0x28 0x66 0x63 0x32 0x29
0x0d 0x0a 0x54 0x65 0x63 0x68 0x6e 0x69
0x63 0x61 0x6c 0x20 0x53 0x75 0x70 0x70
0x6f 0x72 0x74 0x3a 0x20 0x68 0x74 0x74
0x70 0x3a 0x2f 0x2f 0x77 0x77 0x77 0x2e
0x63 0x69 0x73 0x63 0x6f 0x2e 0x63 0x6f
0x6d 0x2f 0x74 0x65 0x63 0x68 0x73 0x75
0x70 0x70 0x6f 0x72 0x74 0x0d 0x0a 0x43
0x6f 0x70 0x79 0x72 0x69 0x67 0x68 0x74
0x20 0x28 0x63 0x29 0x20 0x31 0x39 0x38
0x36 0x2d 0x32 0x30 0x30 0x39 0x20 0x62
0x79 0x20 0x63 0x69 0x73 0x63 0x6f 0x20
0x53 0x79 0x73 0x74 0x65 0x6d 0x73 0x2c
0x20 0x49 0x6e 0x63 0x2e 0x0d 0x0a 0x43
0x6f 0x6d 0x70 0x69 0x6c 0x65 0x64 0x20
0x46 0x72 0x69 0x20 0x32 0x37 0x2d 0x46
If I instead fill iv
and salt
with all zeros, the first line changes to the following, while the rest remains the same:
0x85 0x6f 0x64 0x73 0x1b 0x53 0xd5 0x66
So the obvious question is, what is going on here?
If anyone can answer that, I would also ask Has this behavior been observed/documented anywhere? Why use CBC with DES at all if it provides so little benefit (well, yeah, I know no one really encourages using DES anymore)?
The answer is perfectly simple, and has nothing to do with DES, and everything to do with CBC mode. Thank you to @Topaco for pointing it out to me.
The IV does propagate changes to all blocks when performing encryption, and has the effect of randomizing the contents of each block. Two identical plaintext blocks will produce wildly different ciphertext, so it limits the amount of information that is leaked directly through the ciphertext.
On the other hand, CBC allows you to decrypt any block without first decrypting the blocks before it. This allows decryption to be parallelized. However, it causes exactly the behavior presented in the question. The IV is not required to decrypt any block except the first one.