Is it safer to use the same IV all times data are encrypted, or use a dynamic IV that is sent together the encrypted text? [closed]
- by kiamlaluno
When encrypting data that is then send to a server, is it better to always use the same IV, which is already known from the receiving server, or use a dynamic IV that is then sent to the receiving server?
I am referring to the case the remote server receives data from another server, or from a client application, and executes operations on a database table, in the table row identified by the received data.
Which of the following PHP snippets is preferable?
$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
$ks = mcrypt_enc_get_key_size($td);
$key = substr(md5('very secret key'), 0, $ks);
mcrypt_generic_init($td, $key, $iv);
$encrypted = mcrypt_generic($td, 'This is very important data');
send_encripted_data(combine_iv_encrypted_text($iv, $encrypted));
$ks = mcrypt_enc_get_key_size($td);
$key = substr(md5('very secret key'), 0, $ks);
mcrypt_generic_init($td, $key, $iv);
send_encripted_data(mcrypt_generic($td, 'This is very important data'));
In which way is one of the snippets more vulnerable than the other one?