[aerogear-dev] Encrypted Data and IVs
Bruno Oliveira
bruno at abstractj.org
Wed Nov 6 16:23:59 EST 2013
Corinne Krych wrote:
> I see 2 options:
> - the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt
That's the goal
> - or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv.
>
> Second option is less efficient, but more secure because there is more randomness.
I must say that I will disappoint you for 2 reasons:
1. You are not adding any extra level of security here, once the IV,
salt is still predictable and stored on the local storage. You are just
delaying the attacker, for some hours and trying to solve the absence of
the server here, but if you guys think that this will add some security,
that's ok.
2. For this release we still don't have an API to query encrypted data.
So unless someone has already implemented it I can't see how to do it,
targeting our release date.
> The granularity could be the responsibility of the app developer who can decide when to change the IV+salt.
Let people choose with previous skills about encryption never work.
That's the reason why we are trying to make it simple here.
> See some similar idea with code here:
> https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#L115
As far as I know RNCryptor is just a wrapper, so I doubt they are
storing bazillion records + IV, salts. If some app does it locally, it's
just the false sense of security in my opinion.
--
abstractj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131106/1ede8e6b/attachment.bin
More information about the aerogear-dev
mailing list