The way to determine IV for AES encryption, possible security problems with this approach

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












I am trying to make a folder encryption with maximum automation (except password input).
Inside a bash script I do the following:





echo $RANDOM | md5sum | cut -d' ' -f1 > iv


and then using it:





openssl aes-128-cbc -md sha256 -iv $(cat iv) -in folder.7z -out folder.7z.enc


Assuming that echo $RANDOM returns good random value, then I use md5sum on that value, and md5sum has collision weaknesses, so I assume that there is some security problem with that, but this is the way I found of how to produce a correct iv string for openssl. Can someone point what exactly can be a problem with this approach, and may be give an advice how to produce a pseudo-random iv in a better way?










share|improve this question



















  • 3




    I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
    – Gilles
    1 hour ago














up vote
2
down vote

favorite












I am trying to make a folder encryption with maximum automation (except password input).
Inside a bash script I do the following:





echo $RANDOM | md5sum | cut -d' ' -f1 > iv


and then using it:





openssl aes-128-cbc -md sha256 -iv $(cat iv) -in folder.7z -out folder.7z.enc


Assuming that echo $RANDOM returns good random value, then I use md5sum on that value, and md5sum has collision weaknesses, so I assume that there is some security problem with that, but this is the way I found of how to produce a correct iv string for openssl. Can someone point what exactly can be a problem with this approach, and may be give an advice how to produce a pseudo-random iv in a better way?










share|improve this question



















  • 3




    I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
    – Gilles
    1 hour ago












up vote
2
down vote

favorite









up vote
2
down vote

favorite











I am trying to make a folder encryption with maximum automation (except password input).
Inside a bash script I do the following:





echo $RANDOM | md5sum | cut -d' ' -f1 > iv


and then using it:





openssl aes-128-cbc -md sha256 -iv $(cat iv) -in folder.7z -out folder.7z.enc


Assuming that echo $RANDOM returns good random value, then I use md5sum on that value, and md5sum has collision weaknesses, so I assume that there is some security problem with that, but this is the way I found of how to produce a correct iv string for openssl. Can someone point what exactly can be a problem with this approach, and may be give an advice how to produce a pseudo-random iv in a better way?










share|improve this question















I am trying to make a folder encryption with maximum automation (except password input).
Inside a bash script I do the following:





echo $RANDOM | md5sum | cut -d' ' -f1 > iv


and then using it:





openssl aes-128-cbc -md sha256 -iv $(cat iv) -in folder.7z -out folder.7z.enc


Assuming that echo $RANDOM returns good random value, then I use md5sum on that value, and md5sum has collision weaknesses, so I assume that there is some security problem with that, but this is the way I found of how to produce a correct iv string for openssl. Can someone point what exactly can be a problem with this approach, and may be give an advice how to produce a pseudo-random iv in a better way?







openssl aes md5 bash






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 21 mins ago

























asked 2 hours ago









stackoverflower

215




215







  • 3




    I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
    – Gilles
    1 hour ago












  • 3




    I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
    – Gilles
    1 hour ago







3




3




I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
– Gilles
1 hour ago




I don't have time to write an answer now but there are many problems with your code. The openssl command line is only designed for tests, not for production use, and it's very difficult to use it correctly. Use a tool design for this purpose, such as zip or 7z's encryption feature, or gpg.
– Gilles
1 hour ago










2 Answers
2






active

oldest

votes

















up vote
3
down vote














Assuming that echo $RANDOM returns good random value…




It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.






share|improve this answer





























    up vote
    2
    down vote














    ... md5sum has collision weaknesses, so assume that there is some security problem with that,




    Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.






    share|improve this answer






















      Your Answer







      StackExchange.ready(function()
      var channelOptions =
      tags: "".split(" "),
      id: "162"
      ;
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function()
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled)
      StackExchange.using("snippets", function()
      createEditor();
      );

      else
      createEditor();

      );

      function createEditor()
      StackExchange.prepareEditor(
      heartbeatType: 'answer',
      convertImagesToLinks: false,
      noModals: false,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      noCode: true, onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      );



      );













       

      draft saved


      draft discarded


















      StackExchange.ready(
      function ()
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196311%2fthe-way-to-determine-iv-for-aes-encryption-possible-security-problems-with-this%23new-answer', 'question_page');

      );

      Post as a guest






























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      3
      down vote














      Assuming that echo $RANDOM returns good random value…




      It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.






      share|improve this answer


























        up vote
        3
        down vote














        Assuming that echo $RANDOM returns good random value…




        It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.






        share|improve this answer
























          up vote
          3
          down vote










          up vote
          3
          down vote










          Assuming that echo $RANDOM returns good random value…




          It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.






          share|improve this answer















          Assuming that echo $RANDOM returns good random value…




          It does not. $RANDOM in bash is implemented using a LCRNG with 32 bits of state and a 15-bit output.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 1 hour ago

























          answered 1 hour ago









          duskwuff

          79149




          79149






















              up vote
              2
              down vote














              ... md5sum has collision weaknesses, so assume that there is some security problem with that,




              Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.






              share|improve this answer


























                up vote
                2
                down vote














                ... md5sum has collision weaknesses, so assume that there is some security problem with that,




                Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.






                share|improve this answer
























                  up vote
                  2
                  down vote










                  up vote
                  2
                  down vote










                  ... md5sum has collision weaknesses, so assume that there is some security problem with that,




                  Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.






                  share|improve this answer















                  ... md5sum has collision weaknesses, so assume that there is some security problem with that,




                  Collision attacks are irrelevant here. All what matters is that the IV used is in no way predictable (i.e. no bias - all outputs have the same probability) and the same IV is not used with the same input. For more see How do poor-quality initialization vectors affect the security of CBC mode?.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 1 hour ago

























                  answered 1 hour ago









                  Steffen Ullrich

                  109k12190254




                  109k12190254



























                       

                      draft saved


                      draft discarded















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function ()
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196311%2fthe-way-to-determine-iv-for-aes-encryption-possible-security-problems-with-this%23new-answer', 'question_page');

                      );

                      Post as a guest













































































                      Popular posts from this blog

                      How to check contact read email or not when send email to Individual?

                      Displaying single band from multi-band raster using QGIS

                      How many registers does an x86_64 CPU actually have?