Edit: I address Known-Plaintext-Attack and Chosen-plaintext attack (both) with my question
I have a little problem understandig the right use of IV.
AES is only safe against Known-Plaintext-Attack if I use a different IV for every message. Right?
I need to know the used IV to decrypt a message. Also right?
AES that isn't protected against Known-Plaintext-Attack is a weak encryption. Right?
This means I have to store every IV with the encrypted data (e.g. in a extra DB column). Sounds like a lot of overhead.
Is there any solution to this problem?
For a 128 bit message, a 96 bit IV (for AES in GCM mode as per NIST recommendation) might look like a big overhead. But usually the plain text messages to be encrypted are much larger than that. Much larger as compared to the fixed size 96 bit IV.
On the other hand, almost every safe encryption or hashing mechanisms need a kind of randomness in the form of IV, nonce, salt etc. Not just AES.
It's an overhead but that is a tradeoff for security.
Usually IV is appended or prepended with the ciphertext. And decryption logic knows where to find it in the cipher text.
Overhead is everywhere. For e.g. in an RDBMS table when we create an index, it's an overhead in terms of space and write processing time. But it's a tradeoff for fast query performance.