What is the security threat of always using all zeroes for the IV? If it allows the encrypted text to be deciphered, how could an attacker do that?
UPDATE: So then,
If the IV is always zero, all messages with common text at the start (for example, emails with the same first two or three cipher blocks for the 'From ' or 'From: ' information) will be encrypted the same. This gives the attacker leverage over your key. That is unconditionally bad. As long as you use a reasonably random IV, the attacker loses that leverage. Don't risk it.
Once the attacker has one plaintext message and the matching ciphertext (perhaps she intercepted it somewhere else, like the destination), she will be able to know when any other messages with the same starting sequence are sent. Since she can learn something about the contents of your encrypted messages, this is insecure.
It also allows the attacker to perform frequency analysis. For example, imagine that your plaintext messages are commands to the backend of a stock market platform, so they all start with either "COMMAND=BUY"
or "COMMAND=SELL"
. This means that the encrypted messages start with only two different ciphertext sequences. The attacker can't directly decrypt them - but if she is able to later observe how many SELL orders you placed through observing the market data, she'll be able to go back and work out which is which, and from now on she'll know exactly which orders you are placing as you place them.
Frequency analysis is how simple substitution ciphers are broken, and this is no coincidence - using a fixed IV means that the initial portion of your messages are effectively just using substitution, a block at a time.
Not easily, but it does expose information about the messages, which is something that encryption tries to avoid.
Let's say you use the same key and a zero IV. Someone sniffing traffic can notice that messages start out with the same ciphertext. This gives them some information. By randomizing the IV, this information leakage goes away. More powerful attacks can be launched by knowing more about the structure of the plaintext data. Additionally, if you send many messages in such a way, an attacker could slowly learn more information about the key being used due to the reduction in variance (only the plaintext is different, instead of both the plaintext and the IV
The point of CBC is to randomize input blocks, because a given input block always gets encrypted the same with a given key (AES is deterministic). An input block is randomized by XORing it with the previous output block. The first block having no previous block, it is randomized by XORing it with the IV.
Thus, using a non-random IV means that you do not randomize the first block. If you never use the same key twice, i.e. you use a new key whenever you encrypt a new message, then an all-zero IV is not a problem. Issues with non-randomized input blocks are relevant only when there are two non-randomized input blocks which are encrypted with the same key. If you use a given key for a single message, then only the single first block of that message will be non-randomized, so no problem. But that is a big "if". In particular, if you can generate a new key for every message, then you probably can also generate a new IV for every message. It would take a quite specific scenario to justify using an all-zero IV with CBC.