R – Derivation of IV for CBC Chaining Mode


Is there any secure way of deriving the value of IV for use in CBC mode (e.g. 3DES CBC) aside from randomizing the IV?

Best Solution

NIST's special publication 800-38a discusses methods for the generation of IVs in Appendix C. One method that is proposed there is to use a counter or nonce, encrypt it and use the result as an IV. Contrary to e.g. the CTR mode it is necessary that a potential adversary can not predict the IV.

There exist attacks if predictable IVs are used. See for example this paper. (I'll try to find a more accessible version).

Related Question