Superconductor

I just saw an interesting exchange on a security web site. Someone asked how to securely encrypt small blocks of data, like credit card numbers, using the CBC mode of a block cipher. The reply reminded me of why many people find cryptography annoying: there are lots of details to keep track of, and if you make a mistake on any one of these, you're not as secure as you think you are. In particular, the reply talked about using the same initialization vector (IV) for an entire row or column of data in a database. This is a mistake. It's such a common mistake that it even has its own Common Weakness Enumeration number assigned to it: CWE-329.

The problem is that the security model that the CBC mode of an algorithm relies on assumes that IVs are random. If they're not random, then using CBC mode isn't guaranteed to be secure. The proof of security for CBC mode says that IF an IV is random THEN CBC mode is secure. If an IV isn't random, then this tells you nothing, and there can be ways for an adversary to recover plaintext data that wouldn't be possible if the IV was actually random.

There are secure ways to use a non-random input in addition to the key that a block cipher uses, but they're different than how CBC mode is implemented. The way to do this securely is to use a tweaked block cipher, and there's some discussion of this in a previous post. The way that a tweaked mode is implemented is different from how CBC mode is implemented because of the different assumptions about the inputs. CBC mode is secure if the IV is random. A tweaked mode is secure even if the tweaks are not random, and it takes a different structure to do this.

So it's definitely possible to securely encrypt small blocks of data using a block cipher, but using the same IV for an entire row or column of a database isn't a good way to do this.