[aerogear-dev] Encrypted Data and IVs

[Corinne Krych]

On Nov 6, 2013, at 10:23 PM, Bruno Oliveira <bruno at abstractj.org> wrote:

> 
> 
> Corinne Krych wrote:
>> I see 2 options:
>> - the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt
> That's the goal
>> - or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in  a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv.
>> 
>> Second option is less efficient, but more secure because there is more randomness.
> I must say that I will disappoint you for 2 reasons:
> 
 You're not disappointing me. I like to explore solutions in details.

> 1. You are not adding any extra level of security here, once the IV,
> salt is still predictable and stored on the local storage. You are just
> delaying the attacker, for some hours and trying to solve the absence of
> the server here, but if you guys think that this will add some security,
> that's ok.
> 
> 2. For this release we still don't have an API to query encrypted data.

Definitively not for this release.

> So unless someone has already implemented it I can't see how to do it,
> targeting our release date.
>> The granularity could be the responsibility of the app developer who can decide when to change the IV+salt. 
> Let people choose with previous skills about encryption never work.
> That's the reason why we are trying to make it simple here.
>> See some similar idea with code here:
>> https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#L115
> As far as I know RNCryptor is just a wrapper, so I doubt they are
> storing bazillion records + IV, salts. If some app does it locally, it's
> just the false sense of security in my opinion.
> 
> -- 
> abstractj
> 
> 
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev