Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Encryption with AES-256 and the Initialization Vector

Tags:

java

android

encryption

aes

I have a question relating to the use of an Initialization Vector in AES encryption. I am referencing the following articles / posts to build encryption into my program:

[1] Java 256-bit AES Password-Based Encryption
[2] http://gmailassistant.sourceforge.net/src/org/freeshell/zs/common/Encryptor.java.html

I was originally following erickson's solution from the first link but, from what I can tell, PBKDF2WithHmacSHA1 is not supported on my implementation. So, I turned to the second link to get an idea for my own iterative SHA-256 hash creation.

My question comes in how the IV is created. One implementation ([1]) uses methods from the Cypher class to derive the IV where are the other ([2]) uses the second 16 bytes of the hash as the IV. Quite simply, why the difference and which is better from a security standpoint? I am kinda confused to the derivation and use of IVs as well (I understand what they are used for, just not the subtler differences), so any clarification is also very welcome.

I noticed that the second link uses AES-128 rather than AES-256 which would suggest to me that I would have to go up to SHA-512 is I wanted to use this method. This seems like it would be an unfortunate requirement as the user's password would have to be 16 characters longer to ensure a remotely secure hash and this app is destined for a cell phone.

Source is available on request, though it is still incomplete.

Thank you in advance.

like image 541
MysteryMoose Avatar asked Dec 21 '10 21:12

MysteryMoose

1 Answers

The IV should not be generated from the password alone.

The point of the IV that even with the same key and plaintext is re-used, a different ciphertext will be produced. If the IV is deterministically produced from the password only, you'd get the same ciphertext every time. In the cited example, a salt is randomly chosen, so a new key is generated even with the same password.

Just use a random number generator to choose an IV. That's what the cipher is doing internally.

I want to stress that you have to store either the IV (if you use the first method) or a salt (if you use the second method) together with the ciphertext. You won't have good security if everything is derived from the password; you need some randomness in every message.

like image 95
erickson Avatar answered Nov 17 '22 01:11

erickson
Sign in to Comment

Related questions

how to remove blank items from ArrayList.Without removing index wise
SQLite connection object leaked - Android
android - java - WeakReferences with an ArrayList?
solve maximum product of three array elements without sorting
Why is there a ConcurrentModificationException even when list is synchronized?
What happens if we override only hashCode() in a class and use it in a Set?
Java - what is the best way to check if a STRING contains only certain characters?
Finding unique numbers from sorted array in less than O(n)
OpenCV HoughLines only ever returning one line
Eclipse EXCEPTION_ACCESS_VIOLATION crash
RandomStringGenerator to generate alphanumeric strings
What is Parcelable in android
How can i restrict my clients with selected methods from the class?
Zip Three Different Mono of Different Type
Compare objects in LinkedList.contains()
What is "static"?
Findbugs warning: Integer shift by 32 -- what does it mean?
How to bulk cleanup imports in Java with Eclipse? [duplicate]
How to read a Lucene index?
Need UML reverse engineering tool for Java project [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!