Swift : Null initialization vector

Classification

OWASP MASVS

V8: 8.13.(L1+R/L2+R)

OWASP ASVS

Stored Cryptography Stored Cryptography

PCI DSS 4.0

3.6.1 6.2.4 8.3.2

HIPAA

§164.312 (a)(2)(iv)

CWE

CWE-329

Overview

The application performs encryption with null initialization vector (IV). In case of encrypting related messages with the same key an attacker can obtain information about the message. For secure encryption it is necessary for the IV to be cryptographically pseudorandom, that is, unpredictable to an attacker.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

CWE-329: Not Using a Random IV with CBC Mode
Initialization vector - Wikipedia
Forced into using a static IV (AES) - security.stackexchange.com
Why should I use an Initialization Vector (IV) when I have unique keys? - crypto.stackexchange.com
OWASP Top 10 2017-A3-Sensitive Data Exposure

CRITICAL

Swift : Null initialization vector

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Swift : Null initialization vector in your application?

See also

Swift : Nill password

Swift : Hardcoded salt

Swift : Undocumented feature: special account