0

Let me start by saying that I am new to the encryption arena. With that said, I am developing an application and need to store username, password and full name (first, middle, last) encrypted in a database table. I was reading an article that the IV should be random for each encryption that occurs and that I could prepend the IV to the ciphertext.

This is where it gets confusing. How would I decrypt the string if I prepend text to it unless I know exactly where in the string the IV ends and the ciphertext begins? Also, I was reading that I should salt the string by appending or prepending additional text before I actually encrypt. I.E., some string I create and prepend or append that to the plaintext, am I correct in my understanding of salting?

If I am storing the encrypted username and password in the database, should I worry about any issues when I need to authenticate a user. Can I reliably encrypt the username and password after the user enters the fields, then compare the encrypted values against the encrypted columns in the database? It seems as if this would be a problem and if so, what is the recommended way of handling this?

halfer
  • 19,824
  • 17
  • 99
  • 186
user1790300
  • 2,143
  • 10
  • 54
  • 123
  • 1
    The IV will always be the same as the block size, yes? So if you prepend it the first block of the cipher text would always be the IV. For AES 256, that should be 32 bytes, right? Everything else then is true cipher text. Or is there something I'm missing? – Tyler Peryea Aug 21 '14 at 21:25
  • @TylerPeryea AES always has a blocksize of 128 bits. Only the key size may be 128, 192 or 256 bits. – Maarten Bodewes Aug 22 '14 at 01:31
  • Please pay attention to the first k pages of search results here: https://www.google.com/#q=don%27t+implement+your+own+crypto If the most you know about IV is what one article said, you're unlikely to be in a position to build a secure system. This includes any component involving storage of user passwords, validation of user passwords, or storage of other sensitive information. Moreover, every question you asked and assumption you made is wrong. Flat out. Wrong. E.g.: your description of salting, IV generation, what to encrypt, how to store passwords, how to validate passwords. All wrong. – yfeldblum Mar 10 '15 at 08:50

1 Answers1

0

The length depends on the encryption algorithm that is used. AES's IV is always 16 bytes long, so in the decryption, you can just take the first 16 characters as the IV, then start decrypting after the 16th byte.

Yes, IV is like salt, just that salt is usually referred when we are doing hashing, instead of encryption. Salt is also of a fixed length.

If you only need to authenticate user, hashing is preferred way of storing the password in the database.

Phuah Yee Keat
  • 1,572
  • 1
  • 17
  • 17