Proper Use of Initialization Vector (IV)
Summary​
Symmetric encryption should use a random IV (Initialization Vector) which should have the same length of the encryption key.
Description​
The requirement emphasizes that the IV should be random. A random IV adds unpredictability to the encryption process, becoming more resistant to certain types of cryptographic attacks, especially those based on analyzing patterns or repetitions in the encrypted data also known as statistical attacks. The introduction of a random IV ensures that even identical plaintexts can produce different ciphertexts as an output.
Supported In​
This requirement is verified in following services
Plan | Supported |
---|---|
Essential | 🔴 |
Advanced | 🟢 |
References​
- CWEâ„¢-1204. Generation of weak initialization vector (IV)
- HIPAA-164_312_a_2_iv. Encryption and decryption (addressable)
- HITRUST CSF-10_g. Key management
- FedRAMP-SC-12_2. Cryptographic key establishment and management - Symmetric keys
- ISO/IEC 27002-8_24. Use of cryptography
- ISO/IEC 27001-8_24. Use of cryptography
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.