When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn't always produce the same ciphertext. The IV doesn't need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
For PyCryptodome module:
from Crypto.Cipher import AES from Crypto.Random import get_random_bytes from Crypto.Util.Padding import pad, unpad static_vector = b'x' * AES.block_size cipher = AES.new(key, AES.MODE_CBC, static_vector) cipher.encrypt(pad(data, AES.block_size)) # Noncompliant
For cryptography module:
from os import urandom from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes static_vector = b'x' * 16 cipher = Cipher(algorithms.AES(key), modes.CBC(static_vector)) cipher.encryptor() # Noncompliant
For PyCryptodome module:
from Crypto.Cipher import AES from Crypto.Random import get_random_bytes from Crypto.Util.Padding import pad, unpad random_vector = get_random_bytes(AES.block_size) cipher = AES.new(key, AES.MODE_CBC, random_vector) cipher.encrypt(pad(data, AES.block_size))
For cryptography module:
from os import urandom from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes random_vector = urandom(16) cipher = Cipher(algorithms.AES(key), modes.CBC(random_vector)) cipher.encryptor()