Re: [aerogear-dev] Encrypted Data and IVs

On Nov 6, 2013, at 10:23 PM, Bruno Oliveira wrote: > > > Corinne Krych wrote: >> I see 2 options: >> - the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt > That's the goal >> - or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv. >> >> Second option is less efficient, but more secure because there is more randomness. > I must say that I will disappoint you for 2 reasons: > You're not disappointing me. I like to explore solutions in details. > 1. You are not adding any extra level of security here, once the IV, > salt is still predictable and stored on the local storage. You are just > delaying the attacker, for some hours and trying to solve the absence of > the server here, but if you guys think that this will add some security, > that's ok. > > 2. For this release we still don't have an API to query encrypted data. Definitively not for this release. > So unless someone has already implemented it I can't see how to do it, > targeting our release date. >> The granularity could be the responsibility of the app developer who can decide when to change the IV+salt. > Let people choose with previous skills about encryption never work. > That's the reason why we are trying to make it simple here. >> See some similar idea with code here: >> https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#... > As far as I know RNCryptor is just a wrapper, so I doubt they are > storing bazillion records + IV, salts. If some app does it locally, it's > just the false sense of security in my opinion. > > -- > abstractj > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev