3

I haven't written encryption in a while and have forgotten some stuff.

I remember that to have the output be different for the same data using the same key, I want to salt the data on one of the ends of the byte array and then use CBC mode so that the salt can do its thing.

However I can't remember which direction the encryption goes. Should the salt go at position 0 and then the data to be encrypted goes behind it, or does the salt go at the end? I know CBC mode works best when the salt is the first block in the chain.

Also what block size for AES 256? The wiki article says that all AES uses 128-bit block sizes, and that the 256 part only relates to the key length. So should my salt for AES 256 be 16 bytes or 32 bytes?

I'm using AesCryptoServiceProvider, not RijndaelManaged.

dda
  • 6,030
  • 2
  • 25
  • 34
Andrew Hoffman
  • 780
  • 6
  • 14

1 Answers1

5

First of all, we generally call the random per-encryption value Initialization Vector (IV) not salt in the context of block ciphers.

AES-256 has 128 bit blocks, so the IV should have 128 bits. Typical libraries that implement CBC mode have a special parameter for the IV. You shouldn't mix it into the plaintext yourself.

AesCryptoServiceProvider creates a new random IV by default when you instantiate it. You just need to store it alongside the ciphertext and restore it before decryption. Since you need the IV to start decryption, I prefer putting it at the beginning of the ciphertext. But how and where you store the IV has no effect on security.

An additional hint beyond your questions: Add a MAC (e.g. HMAC-SHA-2) on the ciphertext. Be sure to compute it on the ciphertext including the IV (encrypt-then-mac), not on the plaintext (mac-then-encrypt). Else an active attacker can often use a padding oracle to decrypt the message. Don't forget to use a constant time comparison function for MAC verification.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Hi CodesInChaos, do I need to know the IV in order to decrypt? I've never really used it as I never really understood it, have always assumed you need to know the IV in order to decrypt. – Andrew Hoffman Nov 19 '13 at 17:19
  • 1
    @AndrewHoffman 1) You need to know the IV to decrypt the first block. But it doesn't affect decryption of later blocks. (For CBC, other modes differ). 2) Standard practice is storing the IV in plain alongside the ciphertext. The IV is not secret. – CodesInChaos Nov 19 '13 at 17:22
  • Oh I see. What I am using it for is to encrypt someData, and sending it out into the web, having no idea where it is going, and then getting that encrypted data back at some later point. I'm not keeping a session, and am not storing the data nor the IV. What I intend the salt for is to just ensure that the package is different even when the data and key are the same. I'm vaguely starting to remember why I've never used IV before.. haven't done this in a while. So when substituting salt for IV in AES 256, salt should be 16 bytes, and should be at the beginning? – Andrew Hoffman Nov 19 '13 at 17:33
  • 1
    [jbtule's answer](http://stackoverflow.com/questions/202011/encrypt-decrypt-string-in-net/10366194#10366194) to "Encrypt/Decrypt string in .NET" is a good starting point. – CodesInChaos Nov 19 '13 at 17:37
  • @CodesInChaos *"You need to know the IV to decrypt the first block. But it doesn't affect decryption of later blocks."* What!? Is the implication here that you can still decrypt every block other than the first without the IV? – NullUserException Nov 19 '13 at 17:58
  • 3
    @NullUserException Yes, for [CBC you can decrypt everything except the first block without knowing the IV](http://crypto.stackexchange.com/questions/2865/why-does-cbc-decryption-with-a-wrong-iv-still-give-readable-results). The IV affects the *encryption* of every block, but only the *decryption* of the first block. – CodesInChaos Nov 19 '13 at 18:01
  • @CodesInChaos Interesting property to be aware of. Thanks. – NullUserException Nov 19 '13 at 19:21
  • Aha, so CBC intends you to prepend the IV to your data and then remove it after decryption, the same way I usually do with salt. Indeed an interesting feature of CBC I did not know, will save a couple steps since the default block size of AesCryptoServiceProvider is 128 and the autogenned IV should match that block size. – Andrew Hoffman Nov 19 '13 at 19:36