Corinne Krych wrote:
I see 2 options:
- the one you suggested, you encrypt all data with the same iv, salt + passphrase. The
app stores globally iv+salt
That's the goal
- or you encrypt each password (in the case of our demo app) with
different IV+salt. You need to store salt+iv locally (in a header) within the encrypted
stream. To decrypt, you need first to read the header, exact salt+iv.
Second option is less efficient, but more secure because there is more randomness.
I must say that I will disappoint you for 2 reasons:
1. You are not adding any extra level of security here, once the IV,
salt is still predictable and stored on the local storage. You are just
delaying the attacker, for some hours and trying to solve the absence of
the server here, but if you guys think that this will add some security,
that's ok.
2. For this release we still don't have an API to query encrypted data.
So unless someone has already implemented it I can't see how to do it,
targeting our release date.
The granularity could be the responsibility of the app developer who
can decide when to change the IV+salt.
Let people choose with previous skills about
encryption never work.
That's the reason why we are trying to make it simple here.
As
far as I know RNCryptor is just a wrapper, so I doubt they are
storing bazillion records + IV, salts. If some app does it locally, it's
just the false sense of security in my opinion.
--
abstractj