[aerogear-dev] iOS Crypto questions
Douglas Campos
qmx at qmx.me
Fri Oct 18 16:04:33 EDT 2013
On Fri, Oct 18, 2013 at 03:28:11PM +0300, Christos Vasilakis wrote:
> Hi,
>
> during the ongoing work of adding symmetric crypto interface in iOS[1]
> we came up with two issues:
>
> - we noticed that in the Java impl of the ‘encrypt’ method[2] the IV
> is passed as a parameter. Not sure but is this done for a reason?
> Can’t this be passed as a parameter in the constructor and simplify
> the invoke of just ‘encrypt:data’ ?
You want to have a new IV per cyphertext - if the IV is predictable,
your crypto is busted.[99]
> - the ‘validate’ method[3] in Pbkdf2 class is used from what we have
> seen mostly in tests, is there a reason from being part in the class
> signature?
PBKDF2 is mostly used for key derivation, which in turn is used for
password authentication. This validate method is part of the public API
for you to be able to assert that given a _password_, it matches
_cyphertext + salt_.
[99]:http://rdist.root.org/2008/02/05/tlsssl-predictable-iv-flaw/
--
qmx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 527 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/aerogear-dev/attachments/20131018/f1ff3412/attachment.bin
More information about the aerogear-dev
mailing list