[aerogear-dev] Encrypted Data and IVs
Corinne Krych
corinnekrych at gmail.com
Wed Nov 6 15:28:34 EST 2013
I see 2 options:
- the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt
- or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv.
Second option is less efficient, but more secure because there is more randomness.
The granularity could be the responsibility of the app developer who can decide when to change the IV+salt.
See some similar idea with code here:
https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#L115
++
Corinne
On Nov 6, 2013, at 9:13 PM, Bruno Oliveira <bruno at abstractj.org> wrote:
> I'm not following you, could you please elaborate more? Are you
> considering to have an IV, salt per record?
>
> Corinne Krych wrote:
>> If you have encrypted the twitter password and then added to the
>> encrypted twitter password an additional header with salt and iv, you
>> can decrypt. More secure but more storage space. And in this scenario
>> salt and iv storage is taken care by framework.
>
> --
> abstractj
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list