Passphrase, Salt and IV, do I need all of these?

encryption aes rijndaelmanaged
Kelvin picture Kelvin · Dec 15, 2009 · Viewed 23.8k times · Source

If I am using Rijndael CBC mode, I have no idea why we would need salt. My understanding is even if people know the password, but he cannot get the data without IV. So from my perspective, password + IV seem to be sufficent secure.

Do I get anything wrong?

Answer

erickson picture erickson · Dec 15, 2009

Yes, you need all of these things.

Salt (and an "iteration count") is used to derive a key from the password. Refer to PKCS #5 for more information. The salt and iteration count used for key derivation do not have to be secret. The salt should be unpredictable, however, and is best chosen randomly.

CBC mode requires an initialization vector. This is a block of random data produced for each message by a cryptographic random number generator. It serves as the dummy initial block of ciphertext. Like the key-derivation salt, it doesn't have to be kept secret, and is usually transmitted along with the cipher text.

The password, and keys derived from it, must be kept secret. Even if an attacker has the parameters for key derivation and encryption, and the ciphertext, he can do nothing without the key.

Update:

Passwords aren't selected randomly; some passwords are much more likely than others. Therefore, rather than generating all possible passwords of a given length (exhaustive brute-force search), attackers maintain a list of passwords, ordered by decreasing probability.

Deriving an encryption key from a password is relatively slow (due to the iteration of the key derivation algorithm). Deriving keys for a few million passwords could take months. This would motivate an attacker to derive the keys from his most-likely-password list once, and store the results. With such a list, he can quickly try to decrypt with each key in his list, rather than spending months of compute time to derive keys again.

However, each bit of salt doubles the space required to store the derived key, and the time it takes to derive keys for each of his likely passwords. A few bytes of salt, and it quickly becomes infeasible to create and store such a list.

Salt is necessary to prevent pre-computation attacks.

An IV (or nonce with counter modes) makes the same plain text produce different cipher texts. The prevents an attacker from exploiting patterns in the plain text to garner information from a set of encrypted messages.

An initialization vector is necessary to hide patterns in messages.

One serves to enhance the security of the key, the other enhances the security of each message encrypted with that key. Both are necessary together.

Related questions

RijndaelManaged "Padding is invalid and cannot be removed" that only occurs when decrypting in production

I know other questions have been asked on this but none so far have provided a solution or are exactly the issue I have. The class below handles the encryption and decryption of strings, the key and vector passed in …

Read More
Reading from a cryptostream to the end of the stream

I'm having some trouble with the code below. I have a file in a temporary location which is in need of encryption, this function encrypts that data which is then stored at the "pathToSave" location. On inspection is does not …

Read More
How can I decrypt a string using AES algorithm in c#?

I have an encrypted string from one of our customers. This string was encrypted using the AES method in Java. The only thing I have is the key: "xxxxxxxxxxxxxxxxxxxxxxxx" (24 chars) and the encrypted text: "56e84e9f6344826bcfa439cda09e5…

Read More