Usage of CBC (Cipher Block Chaining) with predictable Initialization Vector (IV)

• Rule ID: php_lang_cbc_predictable_iv
• Languages: php
• Source: cbc_predictable_iv.yml

Description

When your application employs Cipher Block Chaining (CBC) mode for encryption, it's crucial to avoid using a predictable Initialization Vector (IV). A predictable IV can make your encryption vulnerable to dictionary attacks, where attackers can guess the encryption key by trying many possibilities.

Remediations

• Do not use a static or predictable Initialization Vector (IV) for encryption. This approach can compromise the security of your encrypted data.

  openssl_encrypt($data, "aes-256-cbc", iv: "literal-iv"); // unsafe

• Do use a strong, random IV for each encryption operation to enhance security. This practice prevents attackers from predicting the IV and launching dictionary attacks.

Associated CWE

• CWE-329: Generation of Predictable IV with CBC Mode

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=php_lang_cbc_predictable_iv

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=php_lang_cbc_predictable_iv