All geek questions in one place

Is it possible to derive the initialization vector from the password (as with the key), given that the salt will be random?

Cryptography guru, please help.

I found out that an encryption key with symmetric algorithms (for example, AES) must be obtained from the password through the PBKDF2 function, using a random salt in each encryption. I also found out that IV should not be hardcoded or directly connected to a password string or encryption key. Until now, I randomly generated both a key and IV, 16 bytes for my AES-256 encryption, and saved them along with the encrypted payload.

Now I think that random generation IV is redundant if I use random salt, as I can deduce both the key and the IV from the password string with this salt. Or maybe I shouldn't?

So my question in the end is this:

Is it possible to deduce the initialization vector from the password (as I do with the key), or should I generate a random IV every time, given the fact that I use a random salt in each encryption?

So, can I use the C # code below?

// Derive key and initialization vector from password: // ---> NOTE: _salt is random 16 bytes in each encryption. byte[] key, iv; using (Rfc2898DeriveBytes derivedBytes = new Rfc2898DeriveBytes(password, _salt, _iterations)) { key = derivedBytes.GetBytes(32); iv = derivedBytes.GetBytes(16); }
+4
source share
4 answers

Yes, you can use it that way until you never use the same salt for the same password (even on time) to calculate the key and IV. IV should be unique only when encrypting with the same key, and each time you will calculate a new key. Basically, you can even use all zero IV, since the key is never repeated, but you better use a derivative.

Please note that if one of your colleagues decides that PasswordDeriveBytes - Microsoft's broken PBKDF1 implementation - is better suited for the task, then you may well be vulnerable to all types of attacks. This is just an example of what might go wrong if your security boundaries are tight ...

Of course, of course, random IV would be preferable.

+3
source

What does "use random salt in every encryption" mean? It is best to extract salt and IV randomly, for example, exit the cryptography random number generator and store it with derivative bytes. Create a new IV and salt for each password.

Why from the cryptography standard RNG? The output from the password means that any weakness in the byte output function is reflected both in bytes and in IV. In modern programming languages, it is not difficult to generate it from an RNG, and the use of RNG ensures that IV for new encrypted passwords is not predictable. There are probably better reasons, but I draw a space.

0
source

The more links there are between different parts of any cryptosystem, the easier it will be for any attacker to use these links as a back door from one part of the system to another. Remember that the IV is sent in clarity, while the key must be kept secret, so any kind of connection between them is a huge risk for adoption.

Use Rfc2898DeriveBytes to generate your key and use a good crypto RNG to generate IV. Remember that the attacker will see IV, so there is no need to go through the complete RFC 2898 process. Use the standard cryptographic RNG for IV, which is likely to be faster than the RFC 2898 process, because it does not have iterations.

0
source

The most important part of semantic security for the initialization vector when using AES-CBC is that it should not be predictable.

With your proposed implementation, this key will always have the same initialization vector, but you will not use the same keys because of its 128-bit salt. It seems rather unpredictable, but it's not the best practice, and as a rule, when you do something smart to save 16 bytes of space, you lose some kind of security or discover some unknown attack vector.

I think you should use RNG and take a space of 16 bytes, being conservative - this is the name of the game when it comes to encryption. There are other things, such as authenticated encryption, which you should probably look into, I have an example implementation on codereview .

Ultimately, there are important things that provide extra overhead beyond iv for security, such as authenticated encryption, version control, and keyrotation, and there really weren't any high-level encryption schemes for C #. I am working on implementing C # on Google Keyczar . You can follow him if you want on github Keyczar-dotnet . This is quite a lot of functions and has a 90% coverage of testing, but conservatively, I would not recommend using it until it is officially adopted by the project, and then most likely will have a large group of eyes on it in the future.

0
source

Source: https://habr.com/ru/post/1436588/

More articles:


All Articles