372 – Proper Use of Initialization Vector (IV)

Summary

Symmetric encryption should use a random IV (Initialization Vector) which should have the same length of the encryption key.

Description

The requirement emphasizes that the IV should be random. A random IV adds unpredictability to the encryption process, becoming more resistant to certain types of cryptographic attacks, especially those based on analyzing patterns or repetitions in the encrypted data also known as statistical attacks. The introduction of a random IV ensures that even identical plaintexts can produce different ciphertexts as an output.

Supported In

Advanced: True

References

• CWE-1204. Generation of weak initialization vector (IV)
• HIPAA-164_312_a_2_iv. Encryption and decryption (addressable)
• HITRUST-10_g. Key management
• FEDRAMP-SC-12_2. Cryptographic key establishment and management - Symmetric keys
• ISO27002-8_24. Use of cryptography
• ISO27001-8_24. Use of cryptography

Last updated

2024/01/18