Is it safer to use the same IV all times data are encrypted, or use a dynamic IV that is sent together the encrypted text? [closed]

Posted by kiamlaluno on Programmers See other posts from Programmers or by kiamlaluno
Published on 2011-11-25T20:35:14Z Indexed on 2011/11/26 2:07 UTC
Read the original article Hit count: 314

Filed under:

When encrypting data that is then send to a server, is it better to always use the same IV, which is already known from the receiving server, or use a dynamic IV that is then sent to the receiving server?
I am referring to the case the remote server receives data from another server, or from a client application, and executes operations on a database table, in the table row identified by the received data.

Which of the following PHP snippets is preferable?

$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);
$key = substr(md5('very secret key'), 0, $ks);

mcrypt_generic_init($td, $key, $iv);
$encrypted = mcrypt_generic($td, 'This is very important data');
send_encripted_data(combine_iv_encrypted_text($iv, $encrypted));    
$ks = mcrypt_enc_get_key_size($td);
$key = substr(md5('very secret key'), 0, $ks);

mcrypt_generic_init($td, $key, $iv);
send_encripted_data(mcrypt_generic($td, 'This is very important data'));    

In which way is one of the snippets more vulnerable than the other one?

© Programmers or respective owner

Related posts about encryption