I'm having trouble understanding the following sentence : "the numbers in initialization vector (IV) are all zeros (not the ASCII character '0').
My goal is to use openssl enc command to encrypt a file using aes-128-cbc with a key K (let's say 1234567890) and the iv that fulfil such requirements.
So far, I've tried not putting -iv option but it then says "iv undefined" because if option -K is used, option -iv must be provided. I've tried to used -iv 0 but I'me not sure it is the correct one.
For the instance, I used:
openssl enc -aes-128-cbc -e -in input.txt -out output.txt -K 1234567890 -iv 0
Can please you help me illustrate the correct iv that fulfill the above requirements?
OpenSSL implementation of AES-CBC requires the IV to be of the same size as the block size - i.e. 128 bit in your case. enc manual page says:
-iv IV
the actual IV to use: this must be represented as a string comprised only of hex digits.
It does not say, how all 128 bits are obtained if the IV, given on the command line, is shorter - as in your example command.
Fortunately source code of OpenSSL is available. We can see in enc.c that the IV is initialized to all zeros, and then the starting bytes are filled from the command-line argument:
[hiv is the value of the command-line option -iv:]
if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) {
BIO_printf(bio_err, "invalid hex iv value\n");
[...]
int set_hex(char *in, unsigned char *out, int size)
{
int i, n;
unsigned char j;
n = strlen(in);
if (n > (size * 2)) {
BIO_printf(bio_err, "hex string is too long\n");
return (0);
}
memset(out, 0, size);
for (i = 0; i < n; i++) {
.......
So, what you are doing - providing just a single zero for '-iv' - happens to produce the all-zeroes IV which you need.
Note that using a constant - and especially "typical", such as all zeros - IV is a bad security practice; Wikipedia article explains why.