Classic requirement is that IV is unique per key. As theoretical crypto evolved, and attacks like Chosen Ciphertext Attack (you can make the victim to encrypt any plaintext of your choice (aka CPA), *and* *decrypt* any ciphertext of your choice) were developed, CBC could not hold against such an attack. Here the recommendation to use not only unique but unpredictable (aka random) IV. So it boils down to your user case and that model: e.g., if it may be possible for an attacker to feed you ciphertext and learn the results of your decryption - your IV may need to be random. Regards, Uri Sent from my iPhone On Apr 27, 2017, at 08:34, Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote: >> For AES-256 encryption, should IV be random? I am already using a random >> salt, so I was wondering if IV should be random too. > > It should be non-repeating. It can just be a counter. > > (Yes, I know OP didn't ask about AESGCM. But if they're coming here for advice ... ) > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
