[openssl-users] AES-256 Do I need random IV?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 27 12:48:57 UTC 2017

Classic requirement is that IV is unique per key. 

As theoretical crypto evolved, and attacks like Chosen Ciphertext Attack (you can make the victim to encrypt any plaintext of your choice (aka CPA), *and* *decrypt* any ciphertext of your choice) were developed, CBC could not hold against such an attack. Here the recommendation to use not only unique but unpredictable (aka random) IV. 

So it boils down to your user case and that model: e.g., if it may be possible for an attacker to feed you ciphertext and learn the results of your decryption - your IV may need to be random.


Sent from my iPhone

On Apr 27, 2017, at 08:34, Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:

>> For AES-256 encryption, should IV be random? I am already using a random
>> salt, so I was wondering if IV should be random too.
> It should be non-repeating.  It can just be a counter.
> (Yes, I know OP didn't ask about AESGCM.  But if they're coming here for advice ... )
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4223 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170427/4380a169/attachment.bin>

More information about the openssl-users mailing list