rspec/rules/S3329/description.adoc

In encryption, when Cipher Block Chaining (CBC) is used, the Initialization Vector (IV) must be random and unpredictable. Otherwise, the encrypted value is vulnerable to crypto-analysis attacks such as the "Chosen-Plaintext Attack".


An IV value should be associated to one, and only one encryption cycle, because the IV's purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts.


To that end, IV's should be:

* random
* unpredictable
* publishable (IVs are frequently published)
* authenticated, along with the ciphertext, with a Message Authentication Code (MAC)

This rule raises an issue when the IV is hard-coded.
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`In encryption, when Cipher Block Chaining (CBC) is used, the Initialization Vector (IV) must be random and unpredictable. Otherwise, the encrypted value is vulnerable to crypto-analysis attacks such as the "Chosen-Plaintext Attack".`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`An IV value should be associated to one, and only one encryption cycle, because the IV's purpose is to ensure that the same plaintext encrypted twice will yield two different ciphertexts.`

Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`To that end, IV's should be:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 3000-3999 2020-06-30 12:48:39 +02:00			`* random`
			`* unpredictable`
			`* publishable (IVs are frequently published)`
			`* authenticated, along with the ciphertext, with a Message Authentication Code (MAC)`

			`This rule raises an issue when the IV is hard-coded.`