0

I'm trying to rework the CNG encryption example in the Microsoft documentation. One peculiar thing about the example is that the encryption IV is hard coded.

I don't know a lot about encryption but my understanding is that it is more secure to generate a random IV for each encrypted data.

Does anyone have any links or examples for how I'd create a good IV for encryption?

Is it enough to just use rand() to come up with N random byte values?

Jonathan Wood
  • 65,341
  • 71
  • 269
  • 466
  • https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom – kelalaka May 10 '21 at 00:40
  • What is your encryption method. That is important. – kelalaka May 10 '21 at 00:40
  • @kelalaka: BCRYPT_AES_ALGORITHM – Jonathan Wood May 10 '21 at 00:42
  • https://stackoverflow.com/q/30720414/1820553 – kelalaka May 10 '21 at 00:49
  • @kelalaka: Looks like that example simply uses `rand()`. – Jonathan Wood May 10 '21 at 00:55
  • *generate a random IV for each encrypted data.* - and save/send this IV for each encrypted data ? are you need IV at all ? depend from for what and how you use encryption. in question such form - not possible give answer – RbMm May 10 '21 at 01:21
  • @RbMm: The link shows exactly how I'm using it. – Jonathan Wood May 10 '21 at 01:53
  • https://security.stackexchange.com/questions/48295/how-to-generate-initalization-vectors-correctly https://crypto.stackexchange.com/questions/3091/generating-a-strong-unique-initialization-vector – Simon Mourier May 10 '21 at 06:10
  • I’m voting to close this question because it belongs to another site, for example https://crypto.stackexchange.com/ – Simon Mourier May 10 '21 at 06:11
  • @JonathanWood - no, you nothing show. for what you use encryption. are exist sense use this at all. need random or another alg – RbMm May 10 '21 at 06:46
  • You should use [`BCryptGenRandom()`](https://learn.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom), `rand()` is not enough, s. e.g. [_Do not use..._](https://wiki.sei.cmu.edu/confluence/display/c/MSC30-C.+Do+not+use+the+rand%28%29+function+for+generating+pseudorandom+numbers). – Topaco May 10 '21 at 10:08
  • @JonathanWood What about RijndaelManaged.GenerateIV Method from System.Security.Cryptography.Algorithms.dll? learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rijndaelmanaged.generateiv?view=net-5.0 – bimjhi May 10 '21 at 10:08
  • Some investigation shows: Microsoft uses GenerateRandom method to generate IV: referencesource.microsoft.com/#mscorlib/system/security/cryptography/rijndaelmanaged.cs,9e759b605e26d684 Its souce code shows that it uses StaticRandomNumberGenerator.GetBytes(key): referencesource.microsoft.com/#mscorlib/system/security/cryptography/utils.cs,e4c2067f875db1a1 Which, in turns, uses CapiNative.GenerateRandomBytes: referencesource.microsoft.com/#mscorlib/system/security/cryptography/rngcryptoserviceprovider.cs,9ec39b46fdc081c7 The latter is deprecated and replaced by BCryptGenRandom function. Regards. – bimjhi May 10 '21 at 13:25

0 Answers0