4

So, I'm encrypting list of documents with AES algorithm. I use PBKDF2 to determine key from user password. I have a few question about store data and IV/salt:

How to store documents:

  • Encrypt all documents with one AES key, IV and salt
  • Encrypt each document with one AES key, but separate IV and salt

How to store/retrive IV and salt:

  • Get IV from PBKDF2 (like AES key) and no need to store it somewhere
  • Generate IV before every document encryption and store as plain text
  • For salt, I think, there are no option - anyway I need to store it as plain text

As I unterstand from that article (http://adamcaudill.com/2013/04/16/1password-pbkdf2-and-implementation-flaws/) and some others:

  • It's OK to store IV and salt as plain text, as sometimes attacker even don't need to know them
  • Different IV can only "distort" first cipher block (for CBC mode), but not all, so it doesn't bring mush security to AES method.
Wayne
  • 333
  • 1
  • 8
  • 19

1 Answers1

2

Each document should have its own IV and salt. Since the salt varies, so will the AES key for each document. You should never encrypt two documents with the same key and IV. In the most common mode (CBC), reusing IV+Key leads to some reduction in security. In some modes (CTR), reusing IV+Key destroys the security of the encryption. (The "IV" in CTR is called the "nonce," but it is generally passed to the thing called "IV" in most encryption APIs.)

Typically, you generate the IV randomly, and store it at the start of the file in plain text. If you use PBKDF2 to generate the IV, you need another salt (which you then need to store anyway), so there's not much point to that.

You also need to remember that most common modes of AES (most notably CBC) provide no protection against modification. If someone knows what your plaintext is (or can guess what it might be), they can modify your ciphertext to decrypt to some other value they choose. (This is the actual meaning of "If you have the wrong IV when you decrypt in CBC mode it corrupts the first block" from the article. They say "corrupt" like it means "garbage," but you can actually cause the first block to corrupt in specific ways.)

The way you fix this problem is with either authenticated encryption modes (like CCM or EAX), or you add an HMAC.

Rob Napier
  • 286,113
  • 34
  • 456
  • 610