While discussing inter-compatibility between cryptography libraries, I ended up browsing the code for CommonCrypto, Apple’s iPhone cryptography library which provides basic functionality such as AES over CBC mode.
Anyone who’s ever seriously worked with AES before knows that while CBC mode is reliable for encrypting large chunks of data, it relies on an IV (Initialization Vector) that must be, in the AES case, 16 bytes of as-random-as-possible data. In order for CBC mode to perform securely, the IV must remain impossible for the attacker to derive or predict. This data is encrypted as the first block of the cipher chain, and the following process is then initiated:
Without a proper IV, CBC mode can be seriously bad news. However, I’ve noticed that the latest version of CommonCryptor.h‘s code comments state that IVs are optional:
@param iv Initialization vector, optional. Used by block ciphers when Cipher Block Chaining (CBC) mode is enabled.
And that if no IV is provided, an IV of all zeroes will be used:
When using CBC mode, an Initialization Vector (IV) is provided along with the key when starting an encrypt or decrypt operation. If CBC mode is selected and no IV is provided, an IV of all zeroes will be used.
This is, at the very least, a serious documentation flaw, and is most likely a serious security problem considering the fact that many iPhone developers marketing “security-minded” applications may very easily overlook the importance of a securely random IV, generated by a CSPRNG and made impossible to derive. Apple should look into this immediately.
Update: I’ve sent a report to Apple.