2

I am working on a real-life project for a firm. I have to encrypt data using AES 256 as per specification. I want to know how are the key and IV are really chosen in real world projects. /dev/urandom is good enough for both? Any other advice regarding these?

Maxsteel
  • 121
  • 4
  • 1
    i would feed 32+bytes of random into SHA3-256, which outputs an AES256-sized key. the SHA3 part distributes the entropy evenly around the bytes and makes it harder to guess, unless your random is really really broken instead of just sub-optimal. – dandavis Jun 02 '16 at 18:26
  • @dandavis Thanks. Makes sense. Also, how do I ensure that IV is always unique? Do I store and always check? What's the right way? – Maxsteel Jun 02 '16 at 18:31
  • a cropped SHA-3 of the datetime should produce a different IV each time it's called (IVs need not be secret) – dandavis Jun 02 '16 at 18:33
  • 1
    @dandavis They also need to be unpredictable. That is very predictable. The correct answer is to use a CSPRNG. – Luke Park Jun 02 '16 at 21:16
  • @LukeP: the "need" is not universal, it depends on the mode: http://security.stackexchange.com/questions/17044/when-using-aes-and-cbc-is-it-necessary-to-keep-the-iv-secret i don't like modes where the iv needs to be a secret, but they do exist. that said, i don't see how an RNG prevents iv-reuse without storage, both of which can present un-needed complication/risk. Using sha3 makes it safe and easy to concat some urandom with the timestamp and please everyone. – dandavis Jun 03 '16 at 00:16
  • Why not just random IV? If you get a collision there, you have MUCH bigger problems already (crappy implementation or crappy RNG). – domen Jun 03 '16 at 10:37
  • 1
    @dandavis I feel like you might misunderstand. The IV does not need to be, nor did I suggest that it should be, secret, just unpredictable. It is considered best practice to use a CSPRNG when generating IV's. I've never seen anyone hash a timestamp and use it as an IV. – Luke Park Jun 03 '16 at 23:04
  • @LukePark: thanks. the part i'm confused about is how can something be unpredictable if it's not secret? – dandavis Jun 03 '16 at 23:26
  • 1
    @dandavis Unpredictable given any prior IVs from prior messages. E.g. the next IV of the next message can be predetermined if it is the hash of a timestamp. With a CSPRNG, this is not the case. Secret =/= unpredictable. – Luke Park Jun 03 '16 at 23:29
  • @LukePark: the crypto rabbit hole gets deeper, i got homework to do... – dandavis Jun 04 '16 at 03:26

1 Answers1

1

All that is necessary is that the values are random and unique. It is perfectly acceptable to pull them from your operating system's cryptographic random API or from a crypto library like OpenSSL that contains its own internal cryptographically secure random number generator (CSPRNG).

forest
  • 65,613
  • 20
  • 208
  • 262