Is encrypting low variance values risky?

Question

For example a credit card expiry month can be only of only twelve values. So a hacker would have a one in twelve chance of guessing the correct encrypted value of a month. If they knew this, would they be able to crack the encryption more quickly?

If this is the case, how many variations of a value are required to avoid this? How about a bank card number security code which is commonly only three digits?

Answer 1

If you use a proper cipher like AES in a proper way, then encrypting such values is completely safe.

This is because modes of operation that are considered secure (such as CBC and CTR) take an additional parameter called the initialization vector, which effectively randomizes the ciphertext even if the same plain text is encrypted multiple times.

Note that it's extremely important that the IV is used correctly. Every call of the encryption function must use a different IV. For CBC mode, the IV has to be unpredictable and preferably random, while CTR requires a unique IV (a random IV is usually not a bad choice for CTR either).

Answer 2

Good encryption means that if the user knows for example as you mentioned that the expiration month of a credit card is one of twelve values then it will limit the number of options by just that, and not more.

i.e.

If a hacker needs to guess three numbers, a, b, c, each of them can have values from 1 to 3. The number of options will be 3*3*3 = 27. Now the hacker finds out that the first number, a, is always the fixed value 2. So the number of options is 1*3*3 = 9. If revealing the value of the number a will result in limiting the number of options to a value less then 9 than you have been cracked, but in a strong model, if one of the numbers will be revealed then the number of options to be limited will be exactly to 9.

Now you are obviously not using only the exp. date for encryption, i guess.

I hope i was clear enough.