Why do AES decryption methods take IVs as arguments

Question

I'm still new to encryption in general, and I understand why an IV is necessary, but isn't the IV embedded in the encrypted data? Thus, shouldn't any decryption implementation first extract the IV from the data rather than needing to have it supplied?

The reason I assume the IV is embedded in the data is because certain libraries/tools do not require that it be supplied, for instance CryptoJS for JavaScript: CryptoJS.AES.decrypt("U2FsdGVkX1/l3HWODO9GX23rvF0KHmDR6z8XTpYYpe8=", "password").toString(CryptoJS.enc.Utf8));

and openssl: echo "U2FsdGVkX1++pGg+oWqZbIjccV1NiV2pc1QrQtw0wp4=" | openssl aes-256-cbc -d -a -pass pass:password

and really any actual app that does AES encryption, like TrueCrypt.

Libraries that seem to require the IV:

• mcrypt for PHP: http://us2.php.net/manual/en/function.mcrypt-decrypt.php
• SymmetricAlgorithm in .Net: http://msdn.microsoft.com/en-us/library/79w421xb%28v=vs.110%29.aspx

am i getting something confused?

Answer 1

No, the IV may be derived as well. The only reason to include the IV with the ciphertext is when the key is reused for encryption and when the IV cannot be derived. It is common but not standardized or required to prefix it if it is present. But that's when you need the IV, so it's the de-facto standard none-the-less.

In your OpenSSL example a random salt is used to generate a key from a password. In that case the salt is different for each encrypt, so the key is random as well. In that case an randomized IV is not needed, although it can (and will be for OpenSSL) derived from the salt and password as well.

Other protocols contain a counter, and in that case a single block encrypt over the counter can be used to create an IV for CBC mode encryption. As long as the counter stays the same at sender/receiver, there is no need to send the IV.

And there are plenty cryptograhic implementations that get it wrong and don't use a random IV for CBC mode. PHP mcrypt_encrypt is special in the sense that it even requires an IV for ECB mode, which is then thouroughly ignored as ECB does not use an IV anywhere in the algorithm.