Monday, April 7, 2014

Encryption mode (ECB, CBC), padding, IV, salt, iteration count

For encryption mode selection, ECB mode should be avoided, the major issue with ECB is the encryption key will generate the identical ciphertext each time on the identical plaintext, so it does not hide data pattern. CBC or other encryption mode should be used if possible.

When using CBC, it uses IV (initialization vector) to alter the plaintext before encrypting with the encryption key, so it will generates a different ciphertext from the same key and plaintext. The IV is not secret, and it is required during encryption. Be sure to use a random IV each time when encrypting a blob.

As CBC works on a fixed block size, so the plaintext needs to be changed to be multiple of the block size. To do this, padding is used to append extra bytes at the end of plain text. Decryption should know what padding is used when encrypting, so the padding can be removed properly

Salt and iteration count are used to generate an encryption key from a user provided password. Salt is added to the password before it is used as encryption key. In this sense, it works in similar way as IV to break the pattern. Iteration count is how many times a encryption function should be called when convert a salted password to encryption key, its only purpose is increasing the delay for a brute fore attack. Salt and iteration count should be stored with the generated encryption key.



1 comment: