Block ciphers allow empty string as IV.

Bug #997464 reported by Dwayne Litzenberger on 2012-05-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

[A user sent me this bug report.]

Given the following code:"\x00"*16, AES.MODE_CBC, "")

Expected: raises ValueError("IV must be 16 bytes long")
Actual: succeeds.

That's strange; Non-empty IVs of the wrong length are rejected, as expected.

Changed in pycrypto:
status: New → Confirmed
Changed in pycrypto:
status: Confirmed → In Progress
Dwayne Litzenberger (dlitz) wrote :

Fixed in PyCrypto 2.6.

Changed in pycrypto:
status: In Progress → Fix Released
Michael Bienia (geser) wrote :

Is it expected that the IV is now mandatory also for AES.MODE_CFB? The documentation mentions it's optional.
See #1004845. Or does python-keyring use it wrong by not passing an IV?

Dwayne Litzenberger (dlitz) wrote :

Yes, absolutely. IVs were always mandatory from a cryptographic standpoint. NIST SP 800-38A[1] states:

"The CFB mode requires an IV as the initial input block. The IV need not be secret, but it must be unpredictable; the generation of such IVs is discussed in Appendix C."

So if you're attempting to use CFB mode without specifying an unpredictable IV (i.e. not all-zeros), then you're not really using CFB mode, but a mode-of-operation of your own design that happens to be a weak version of CFB. PyCrypto still allows you to do that, but you must now do so explicitly; It will not default to this weak behaviour.

Any use of MODE_CBC or MODE_CFB without specifying an unpredictable (i.e. random) IV is a bug and almost certainly a security hole. PyCrypto now helps you find those bugs.


To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers