Re: [aerogear-dev] iOS Crypto questions
On Fri, Oct 18, 2013 at 03:28:11PM +0300, Christos Vasilakis wrote:
Hi,
during the ongoing work of adding symmetric crypto interface in iOS[1]
we came up with two issues:
- we noticed that in the Java impl of the ‘encrypt’ method[2] the IV
is passed as a parameter. Not sure but is this done for a reason?
Can’t this be passed as a parameter in the constructor and simplify
the invoke of just ‘encrypt:data’ ?
You want to have a new IV per cyphertext - if the IV is predictable,
your crypto is busted.[99]
- the ‘validate’ method[3] in Pbkdf2 class is used from what we have
seen mostly in tests, is there a reason from being part in the class
signature?
PBKDF2 is mostly used for key derivation, which in turn is used for
password authentication. This validate method is part of the public API
for you to be able to assert that given a _password_, it matches
_cyphertext + salt_.
[99]:http://rdist.root.org/2008/02/05/tlsssl-predictable-iv-flaw/
--
qmx
Attachments:
- attachment.sig (application/pgp-signature — 527 bytes)