I am working on a real-life project for a firm. I have to encrypt data using AES 256 as per specification. I want to know how are the key and IV are really chosen in real world projects. /dev/urandom is good enough for both? Any other advice regarding these?
Asked
Active
Viewed 1,375 times
2
-
1i would feed 32+bytes of random into SHA3-256, which outputs an AES256-sized key. the SHA3 part distributes the entropy evenly around the bytes and makes it harder to guess, unless your random is really really broken instead of just sub-optimal. – dandavis Jun 02 '16 at 18:26
-
@dandavis Thanks. Makes sense. Also, how do I ensure that IV is always unique? Do I store and always check? What's the right way? – Maxsteel Jun 02 '16 at 18:31
-
a cropped SHA-3 of the datetime should produce a different IV each time it's called (IVs need not be secret) – dandavis Jun 02 '16 at 18:33
-
1@dandavis They also need to be unpredictable. That is very predictable. The correct answer is to use a CSPRNG. – Luke Park Jun 02 '16 at 21:16
-
@LukeP: the "need" is not universal, it depends on the mode: http://security.stackexchange.com/questions/17044/when-using-aes-and-cbc-is-it-necessary-to-keep-the-iv-secret i don't like modes where the iv needs to be a secret, but they do exist. that said, i don't see how an RNG prevents iv-reuse without storage, both of which can present un-needed complication/risk. Using sha3 makes it safe and easy to concat some urandom with the timestamp and please everyone. – dandavis Jun 03 '16 at 00:16
-
Why not just random IV? If you get a collision there, you have MUCH bigger problems already (crappy implementation or crappy RNG). – domen Jun 03 '16 at 10:37
-
1@dandavis I feel like you might misunderstand. The IV does not need to be, nor did I suggest that it should be, secret, just unpredictable. It is considered best practice to use a CSPRNG when generating IV's. I've never seen anyone hash a timestamp and use it as an IV. – Luke Park Jun 03 '16 at 23:04
-
@LukePark: thanks. the part i'm confused about is how can something be unpredictable if it's not secret? – dandavis Jun 03 '16 at 23:26
-
1@dandavis Unpredictable given any prior IVs from prior messages. E.g. the next IV of the next message can be predetermined if it is the hash of a timestamp. With a CSPRNG, this is not the case. Secret =/= unpredictable. – Luke Park Jun 03 '16 at 23:29
-
@LukePark: the crypto rabbit hole gets deeper, i got homework to do... – dandavis Jun 04 '16 at 03:26
1 Answers
1
All that is necessary is that the values are random and unique. It is perfectly acceptable to pull them from your operating system's cryptographic random API or from a crypto library like OpenSSL that contains its own internal cryptographically secure random number generator (CSPRNG).
forest
- 65,613
- 20
- 208
- 262