Python-Crypto

Block ciphers allow empty string as IV.

Bug #997464 reported by Darsey Litzenberger
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python-Crypto
Fix Released
Undecided
Unassigned

Bug Description

[A user sent me this bug report.]

Given the following code:

    AES.new("\x00"*16, AES.MODE_CBC, "")

Expected: raises ValueError("IV must be 16 bytes long")
Actual: succeeds.

That's strange; Non-empty IVs of the wrong length are rejected, as expected.

Darsey Litzenberger (dlitz)
Changed in pycrypto:
status: New → Confirmed
Darsey Litzenberger (dlitz)
Changed in pycrypto:
status: Confirmed → In Progress
Revision history for this message
Darsey Litzenberger (dlitz) wrote :

Fixed in PyCrypto 2.6.

Changed in pycrypto:
status: In Progress → Fix Released
Revision history for this message
Michael Bienia (geser) wrote :

Is it expected that the IV is now mandatory also for AES.MODE_CFB? The documentation mentions it's optional.
See #1004845. Or does python-keyring use it wrong by not passing an IV?

Revision history for this message
Darsey Litzenberger (dlitz) wrote :

Yes, absolutely. IVs were always mandatory from a cryptographic standpoint. NIST SP 800-38A[1] states:

"The CFB mode requires an IV as the initial input block. The IV need not be secret, but it must be unpredictable; the generation of such IVs is discussed in Appendix C."

So if you're attempting to use CFB mode without specifying an unpredictable IV (i.e. not all-zeros), then you're not really using CFB mode, but a mode-of-operation of your own design that happens to be a weak version of CFB. PyCrypto still allows you to do that, but you must now do so explicitly; It will not default to this weak behaviour.

Any use of MODE_CBC or MODE_CFB without specifying an unpredictable (i.e. random) IV is a bug and almost certainly a security hole. PyCrypto now helps you find those bugs.

[1] http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.