To store passwords (written in C) for Rockbox I need to generate initialization vectors.
The problem is that I do not have a good source of randomness. Rockbox supplied random () is not a cryptographic RNG. And I have almost no sources of randomness with which I can access (no mouse movements, ... on the iPod running Rockbox).
The key is currently output via PBKDF2 from the user-provided password and salt (which is a constant prefix + some data from random ()). I think pseudo-random data should be good enough for a salt with 10,000 iterations of PBKDF2.
However, where to get my initialization vector? Is it okay if I take some semi-random data (time + random ()) and SHA, which, say, 10,000 times? Should I take arc4random with a seed taken from random ()?
Do I even need an IV if I will never use the same key twice (is the salt recounted every time the stored data changes)? What is the best way to deal with such situations?
Edit: Just one user (I who owns an iPod) encryption algorithm: AES-CBC 256 bit. The file simply stores a list of sites / accounts / passwords for various sites. It rarely changes (when I create a new account on the website), when this happens, a new salt and a new IV are created.
source
share