0

I'm trying to implement an aes128gcm encryption algorithm so I can push notifications over the web. However there is something that I'm missing because I don't find the purpose of using the salt anywhere.

Encryption Content Coding Header must have the salt value, which is 16 bytes long. Is it used to generate the 128 bit key along the public key provided? Or should I use it somewhere else during the aesgcm encryption?

Thanks beforehand, I'm kinda new to this world and can't seem to find an answer anywhere.

Muck Felo
  • 27
  • 4
  • 1
    Maybe https://en.wikipedia.org/wiki/Salt_(cryptography) – Jean-Baptiste Yunès Aug 18 '17 at 12:23
  • I know what salt is generically, I just don't seem to find which step needs to be applied in this algorithm. – Muck Felo Aug 18 '17 at 12:30
  • 4
    AFAIK GCM does not use a "salt" value. I assume you are referring to the "nonce". – Robert Aug 18 '17 at 12:35
  • [Why do we use the “salt” to secure our passwords?](https://stackoverflow.com/q/5252943/995714), [Can you help me understand what a cryptographic “salt” is?](https://crypto.stackexchange.com/q/1776) – phuclv Aug 18 '17 at 13:19
  • @MuckFelo - I get your question and it is not a duplicate. You are asking why there is a `salt` parameter in HTTP's `Content-Encoding: aes128gcm`. I have just been studying this encoding, i.e https://tools.ietf.org/html/rfc8188. The answer is in Sec. 2.2. The `salt` patemeter is input for HKDF - the HMAC key derivation function to compute the content encryption key. – Ajoy Bhatia Jan 17 '18 at 19:46

2 Answers2

1

What is the SALT role in AES128GCM encryption algorithm

None. Salt is commonly use to randomize password hashing, but that would not be a part of AES-GCM which takes a key (not a password!), IV and plaintext to produce a ciphertext and an authentication tag.

It is certainly possible to use a salt along with a password to derive the key, but that is not a part of AES-GCM.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
0

If you have a completely deterministic encryption algorithm, then it's vulnerable to dictionary attacks.

For example, if "password" always encrypts to "qbttxpse", then an attacker can look through a list of encrypted passwords, and know that wherever he sees "qbttxpse" the plain password is "password".

I've encountered a messaging system in which messages were stored encrypted without a salt. One customer frequently sent identical messages. Although you couldn't tell what the content was, you could tell how many of the messages were identical. An attacker could exploit this.

Of course there are plenty of more subtle ways that this property can be exploited.

To avoid this, we introduce a salt to proceedings.

  • The input to the encryption contains the plaintext, a key, and a randomly generated salt value.
  • The payload sent to the intended recipient contains the ciphertext and the salt
  • The input to the decryption contains the ciphertext, a key and the salt

So, you need to randomly generate your 16 byte salt for each message, and you need to make room in your transmission protocol to communicate it along with the ciphertext. It could be as simple as just prepending it to the ciphertext.

If you hard-code a fixed salt, and use it at both ends, it will "work" in the sense that you'll be able to encrypt and decrypt ending up with the same message -- but you'll have the vulnerability I described.

By the way - designing protocols around encryption algorithms is fraught with extremely subtle pitfalls, and is probably best left to real experts (I have 20 years experience working at a fairly low level with secure internet protocols -- and I wouldn't trust myself to design a bulletproof encryption layer). Use something established (e.g. SSL or S/MIME) if at all possible.

slim
  • 40,215
  • 13
  • 94
  • 127