[aerogear-dev] Encrypted Data and IVs

[Bruno Oliveira]

Answers inline.

Summers Pittman wrote:
> Checking my thoughts (and hopefully spurring some discussion)
>
> A key (and thus salt) is unique per user.
> A IV is unique per encrypted message.
Key into our scenario is a composition of salt, IV, passphrase unique
per user.

Not by message.
> In an key pair, the public key is transmitted to your recipients. The 
> private key is kept by the user.
> With a symmetric key, both parties have the key or know how to generate 
> the key.
> The same IV has to be present for a message to be reliably encrypted and 
> decrypted.
Correct.
> Now some questions:
>
> How is a PBKDF2 key transmitted so a message can be decrypted?
For this release we don't have key exchange with the server and make use
of symmetric encryption to client/server is not the ideal. But let's
suppose you really want to do it:

1. Alice will generate the IV, salt and input the password
2. Alice sends the IV and salt to Bob
3. Bob receives the IV and salt and call Alice saying "WTF lady, how
could I decrypt it?"
4. Alice answers the phone call and says "hey, my password is: pineapple"

Now both parties know how to decrypt the message. Into this release we
are laying the groundwork for the key exchange with the server on the
next release, this is what KeyPair stands for.
> In the case of client server how should the IV be generated/transmitted?

IV can be a public information.

Let me know if you have more questions.

-- 
abstractj


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131106/6e707419/attachment.bin