AES-256 Do I need random IV?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

AES-256 Do I need random IV?

Yaşar Arabacı
Hi,

For AES-256 encryption, should IV be random? I am already using a
random salt, so I was wondering if IV should be random too.

Thanks in advance

--
http://ysar.net/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AES-256 Do I need random IV?

Hanno Böck-4
On Thu, 27 Apr 2017 15:00:37 +0300
Yaşar Arabacı <[hidden email]> wrote:

> For AES-256 encryption, should IV be random? I am already using a
> random salt, so I was wondering if IV should be random too.

An IV is part of a cipher mode. AES-256 is just a block cipher. You
can't use it on its own. So you need to specify which cipher mode you
want to use in order to make sense. You most likely want to use GCM.

The requirement for the IV is usually that it's unique. Choosing it
at random may or may not be a good idea, depending on how much data
you encrypt and how long the IV is for that particular cipher mode. For
GCM using random IVs is not exactly recommended, better use a counter
if you can keep state. But if you only encrypt small amounts of data
per key a random IV is doable.

--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AES-256 Do I need random IV?

Jakob Bohm-7
In reply to this post by Yaşar Arabacı
On 27/04/2017 14:00, Yaşar Arabacı wrote:
> Hi,
>
> For AES-256 encryption, should IV be random? I am already using a
> random salt, so I was wondering if IV should be random too.
>
> Thanks in advance
>
AES itself takes neither an IV nor a salt.

AES in CBC mode takes a 128 bit IV for the CBC mode, it is best if
attackers cannot predict the IV before providing some data that they
"trick" you into encrypting.

AES in CBC mode should also not be used more than once with the same
combination of IV and key.

Various ways to choose a key (256 bit for AES-256) from a
human-memorable password involve the use of a salt to get different
keys for different runs with the same password, and to make the number
of possible keys much larger than the number of possible human-memorable
passwords.  Using a random or otherwise unpredictable key that isn't
from a password at all is usually safer than using a key based on a
password.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AES-256 Do I need random IV?

OpenSSL - User mailing list
In reply to this post by Yaşar Arabacı
> For AES-256 encryption, should IV be random? I am already using a random
> salt, so I was wondering if IV should be random too.

It should be non-repeating.  It can just be a counter.

(Yes, I know OP didn't ask about AESGCM.  But if they're coming here for advice ... )

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: AES-256 Do I need random IV?

Blumenthal, Uri - 0553 - MITLL
Classic requirement is that IV is unique per key.

As theoretical crypto evolved, and attacks like Chosen Ciphertext Attack (you can make the victim to encrypt any plaintext of your choice (aka CPA), *and* *decrypt* any ciphertext of your choice) were developed, CBC could not hold against such an attack. Here the recommendation to use not only unique but unpredictable (aka random) IV.

So it boils down to your user case and that model: e.g., if it may be possible for an attacker to feed you ciphertext and learn the results of your decryption - your IV may need to be random.

Regards,
Uri

Sent from my iPhone

On Apr 27, 2017, at 08:34, Salz, Rich via openssl-users <[hidden email]> wrote:

>> For AES-256 encryption, should IV be random? I am already using a random
>> salt, so I was wondering if IV should be random too.
>
> It should be non-repeating.  It can just be a counter.
>
> (Yes, I know OP didn't ask about AESGCM.  But if they're coming here for advice ... )
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AES-256 Do I need random IV?

Yaşar Arabacı
In reply to this post by OpenSSL - User mailing list
Hello Again,

Sorry, I should have explained myself better. I am using AES-256 in
CBC mode. I am getting a string as a password, and using
PKCS5_PBKDF2_HMAC_SHA1 function to generate 256 bit key and 128 bit
IV. I was wondering if generating and IV like this is necessary, or
can I just use a constant IV value with every encryption.


Here is my actual test code in C;

#define SZ_SALT 16 /* 128 bit salt */
#define NUM_ITER 1000

#define SZ_KEY 32 /* 256 bits */
#define SZ_IV 16 /* 128 bits */

#define SZ_GENERATED (SZ_KEY+SZ_IV)

/* +1 for null terminator */
unsigned char key[SZ_KEY+1];
unsigned char iv[SZ_IV + 1];

char *password = "ThisMyPass";
char *data = "This is important data to be encrypted";

unsigned char salt[SZ_SALT];
RAND_bytes(salt, SZ_SALT);

unsigned char generated[SZ_GENERATED];

if (PKCS5_PBKDF2_HMAC_SHA1(password, -1, salt, SZ_SALT, NUM_ITER,
SZ_GENERATED, &generated[0]) == 0)
{
exit(1);
}

memcpy(key, generated, SZ_KEY);
key[SZ_KEY] == '\0';

memcpy(iv, (unsigned char *)generated + SZ_KEY, SZ_IV);
iv[SZ_IV] = '\0';


2017-04-27 15:34 GMT+03:00 Salz, Rich via openssl-users
<[hidden email]>:

>> For AES-256 encryption, should IV be random? I am already using a random
>> salt, so I was wondering if IV should be random too.
>
> It should be non-repeating.  It can just be a counter.
>
> (Yes, I know OP didn't ask about AESGCM.  But if they're coming here for advice ... )
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
http://ysar.net/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users