Re: [aerogear-dev] Encrypted Data and IVs

Corinne Krych wrote: > I see 2 options: > - the one you suggested, you encrypt all data with the same iv, salt + passphrase. The app stores globally iv+salt That's the goal > - or you encrypt each password (in the case of our demo app) with different IV+salt. You need to store salt+iv locally (in a header) within the encrypted stream. To decrypt, you need first to read the header, exact salt+iv. > > Second option is less efficient, but more secure because there is more randomness. I must say that I will disappoint you for 2 reasons:

1. You are not adding any extra level of security here, once the IV, salt is still predictable and stored on the local storage. You are just delaying the attacker, for some hours and trying to solve the absence of the server here, but if you guys think that this will add some security, that's ok. 2. For this release we still don't have an API to query encrypted data.

So unless someone has already implemented it I can't see how to do it, targeting our release date. > The granularity could be the responsibility of the app developer who can decide when to change the IV+salt. Let people choose with previous skills about encryption never work. That's the reason why we are trying to make it simple here. > See some similar idea with code here: > https://github.com/rnapier/RNCryptor/blob/master/RNCryptor/RNEncryptor.m#... As far as I know RNCryptor is just a wrapper, so I doubt they are storing bazillion records + IV, salts. If some app does it locally, it's just the false sense of security in my opinion. -- abstractj _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev