Initialization Vectors

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:03
>> We had our formula from
00:03
the last section that we were going to take plain text,
00:03
use an initialization vector,
00:03
an algorithm, and a key to get ciphertext.
00:03
Let's piece by piece,
00:03
talk about each of these elements.
00:03
Let's get started with initialization vectors.
00:03
Let's talk about the purpose of
00:03
them and how they come together.
00:03
I want you to think about this.
00:03
When we talk about encryption,
00:03
our goal is to take plain text and remove
00:03
it and modify it
00:03
in such a way that we produce ciphertext.
00:03
We want to make sure that there's no easy way to take
00:03
that ciphertext back to the plain text.
00:03
We want to make sure that we are as
00:03
far removed as possible from the original.
00:03
We have to make sure the encrypted text
00:03
is very different from the plain text.
00:03
We need a lot of randomness.
00:03
Sometimes even with randomness,
00:03
you need more randomness and more randomness.
00:03
That's what an initialization
00:03
>> vector is going to give me.
00:03
>> What do you think about this?
00:03
If you think about maybe a digital music player,
00:03
maybe if iTunes or something and full disclosure,
00:03
this is not how iTunes works exactly,
00:03
but this will help you
00:03
frame what an initialization vector is.
00:03
Let's say, I'll tell you I have
00:03
a digital music player and I have,
00:03
probably around 1,500 songs I've
00:03
been building this playlist
00:03
for a couple of decades actually
00:03
now and I've got a lot of great songs on my playlist.
00:03
I have got a lot of songs.
00:03
I still love music from music from the '70s and '80s.
00:03
I grew up listening to
00:03
Prince and Tom Petty and Queen and all the good bands.
00:03
What happens with this digital music players
00:03
have all of the songs,
00:03
but every time I want to play it,
00:03
I put it on random because I don't want
00:03
to hear the same first song,
00:03
second song, third song,
00:03
fourth song, everything single time I play it.
00:03
I turn it on random that gives me a good mix.
00:03
But here's the problem.
00:03
Even though I have all this awesome music
00:03
on my digital music player,
00:03
I have a couple of lousy songs as well.
00:03
As matter of fact, I
00:03
mentioned my musical estates back years and years.
00:03
Back to the time when I had an iPad,
00:03
I had actually loaned my iPad to
00:03
a friend of mine who was driving to Canada.
00:03
She downloaded the soundtrack to the Broadway
00:03
musical Annie on my iPad.
00:03
What that means is,
00:03
I drive up to a stoplight and
00:03
>> I'm feeling relatively hip
00:03
>> for a 50-year-old and there's only so hip
00:03
you're going to feel at 50. Let me just tell you that.
00:03
But come to the stoplight
00:03
and all of a sudden the sun will come out tomorrow,
00:03
start blasting out my speakers
00:03
and I'm like "Oh, looser."
00:03
The question is, I've got
00:03
1,500 songs,1,470 of them are good,
00:03
why did the same lousy ones keep playing?
00:03
Why am I not getting
00:03
the randomness that I really want there?
00:03
Well, this could be a reason.
00:03
Let's just say that
00:03
my digital music player generate some random numbers,
00:03
7, 5, 2,
00:03
3, 4, 9, 4.
00:03
When I wrote this slide, I
00:03
promise you they were totally random.
00:03
I really was just like,
00:03
here are the numbers I'm going to use.
00:03
They're random numbers and I
00:03
could even throw in some random math.
00:03
I could say, "If we start at track zero and add seven,
00:03
we're now at the seventh track.
00:03
Then we add five,
00:03
we're at the 12th track minus 2,
00:03
where at the 10th track plus 3,
00:03
where at the 13th track plus 4, 17th plus 9."
00:03
What is that? 26 minus four two,
00:03
you get the feel of what I'm doing.
00:03
I'm taking these random numbers and then I'm
00:03
tossing in some random math functions.
00:03
But if we always start at track zero,
00:03
then even though I've got random math,
00:03
and even though I've got random numbers,
00:03
I'm not getting randomness
00:03
because the starting places the same.
00:03
But if I start at track
00:03
20 the first time and then track 37 the next,
00:03
then track 99 the next and so on,
00:03
If that starting point is also randomized,
00:03
now I do get much better randomization.
00:03
That starting point is what
00:03
>> my initialization vector is.
00:03
>> If we randomize the initial point
00:03
or our initialization vector that gets randomized,
00:03
then that just adds
00:03
more randomization to a random process.
00:03
Randomization is good.
00:03
We like randomness.
00:03
Our goal is to remove our ciphertext as
00:03
far as possible away from our plain text.
00:03
We want it to be as random as possible.
00:03
If we vary that beginning point,
00:03
we're going to add additional randomness.
00:03
If you've ever heard the term salt.
00:03
A salt is very comparable to an initialization vector,
00:03
but instead we use it with passwords.
00:03
We take this user's eight character password because
00:03
users really can't remember
00:03
passwords much longer than that.
00:03
If the database application that stores
00:03
those passwords also adds
00:03
maybe another eight character password
00:03
that is unique to that user,
00:03
not password, but maybe another eight characters,
00:03
which would be the salt.
00:03
The user only has to remember eight character password,
00:03
but the password is getting
00:03
the complexity of
00:03
a 16 character password, if that makes sense.
00:03
It's essentially just adding something to the process
00:03
at the beginning so that we
00:03
>> can increase the randomness.
00:03
>> When we do it with encryption,
00:03
we refer to it as an initialization vector.
00:03
When we use it with passwords,
00:03
we refer to it as a salt.
00:03
Now something interesting to think about.
00:03
Computers can't really do random.
00:03
A computer can't go 37,412.
00:03
Computer can't truly randomize.
00:03
Instead, what it has to use is something pseudo-random.
00:03
It has to base the initialization vector on
00:03
something that isn't random but feels random.
00:03
That initialization vector could be based on CPU,
00:03
Clock cycles, temperature,
00:03
internal temperature, there has to be
00:03
some basis for that initialization vector
00:03
is not truly random.
00:03
As a matter of fact, it's called pseudo-random.
00:03
You'll hear the term pseudo-random number generators.
00:03
Meaning there has to be some means to help
00:03
a system come up with a value that feels random.
00:03
Totally cool if you've got some time lookup,
00:03
Cloudflare and Lava lamps.
00:03
Because what they do at Cloudflare,
00:03
which is a major web infrastructure
00:03
and security organization.
00:03
They are responsible for generating some of
00:03
these pseudo random values that are used in
00:03
very complex algorithms throughout the internet.
00:03
What they have, the way that
00:03
they determined on how to
00:03
>> generate these random numbers,
00:03
>> is they have a wall of over
00:03
a 100 lava lamps because they're totally unpredictable.
00:03
They have a video capturing
00:03
the movement of the lava in these lava lamps,
00:03
and then an algorithm
00:03
takes those patterns that are plotted
00:03
out and converts them to a value that is pseudo-random.
00:03
It's really pretty cool.
00:03
If you go to Cloudflare site,
00:03
you'll get to see the actual lava lamp of the Internet.
00:03
I just love how IT people think.
00:03
I mean, I can just picture
00:03
sitting around in a board meeting
00:03
with executives and the one IT guy goes,
00:03
"I've got this great idea.
00:03
Lava lamp." IT people are certainly unique characters,
00:03
but I think it's a great idea and it's
00:03
obviously very, very effective.
00:03
We talked about our initialization vectors.
00:03
We talked about why we need randomness,
00:03
and we talked about how
00:03
those IVs give us additional randomness.
00:03
and really, we should technically say,
00:03
give us pseudo-randomness, but we know the purpose,
00:03
we know what we're trying to accomplish.
00:03
Initialization vectors are very helpful as
00:03
a starting point for our encryption process.
Up Next