Can an AES-128 key be reversed if the attacker can control plain text and capture cypher text and IV?

Question

We have a product under development that uses AES-128 with a Master Key XOR'd with the device's serial number and a single-use randomly generated IV to encrypt a password before transmission. Passwords are fixed length.

I have verified that an attacker can capture the serial number, IV, and cyphertext-password during a connection attempt. If the attacker buys our product they can also set the password. So they will then have the serial number, IVs, and as many plaintext/cyphertext-password pairs as they want.

Assuming they can put it all together, is this enough information to reverse the Master Key? It seems to be like it is, but I'm a little out of my element here.

I believe my question differs from the possible duplicate because in this case the attacker can generate unlimited amounts of fully-known plaintext/cyphertext. In particular, I believe that our device meets the requirements for vulnerability to power-analysis side-channel attacks.

Answer 1

Knowledge of the plain-text and it's direct encrypted cipher-text does not offer the attacker any method of reversing the master key other than brute force, which they will already have at their disposal by just knowing the cipher-text. Therefore, your system should still be secure.

To find a lot more detail and justification to this answer, I would recommend this post: How less secure is an encryption if we know something about the original data?

Hope it helps!