Is there any difference, if I init AES cipher, with and without IvParameterSpec

java android security encryption aes
Cheok Yan Cheng picture Cheok Yan Cheng · Apr 11, 2015 · Viewed 15.2k times · Source

I was wondering, is there any difference, if I init AES cipher, with and without IvParameterSpec?

With IvParameterSpec

SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec, new IvParameterSpec(new byte[16]));

Without IvParameterSpec

SecretKeySpec skeySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, skeySpec);

I tested with some sample test data, their encryption and decryption result yield the same.

However, since I'm not the security expert, I don't want to miss out anything, and create a potential security loop hole. I was wondering, which is the correct way?

Answer

Justin King-Lacroix picture Justin King-Lacroix · Apr 11, 2015

A bit of background (I'm sorry if you already know this, it's just worth making sure we're using the same terminology):

  • AES is a block cipher, an encryption algorithm that operates on 128-bit blocks.
  • CBC is a block cipher mode, a way of using a block cipher to encrypt large amounts of data.
  • Block cipher modes need an initialisation vector (IV), which is a block of initialisation data, usually the same size as the block size of the underlying cipher.

(The Wikipedia on block cipher modes - http://en.wikipedia.org/wiki/Block_cipher_mode - is really good, and makes it clear why you need an IV.)

Different block modes impose different requirements on the IV selection process, but they all have one thing in common:

You must never encrypt two different messages with the same IV and key. If you do, an attacker can usually get your plaintext, and sometimes your key (or equivalently useful data).

CBC imposes an additional constraint, which is that the IV must be unpredictable to an attacker - so artjom-b's suggestion of using a SecureRandom to generate it is a good one.

Additionally, as artjob-b points out, CBC only gives you confidentiality. What that means in practice is that your data is kept secret, but there's no guarantee that it arrives in one piece. Ideally, you should use an authenticated mode, such as GCM, CCM, or EAX.

Using one of these modes is a really, really good idea. Encrypt-then-MAC is unwieldy even for the experts; avoid it if you can. (If you have to do it, remember that you must use different keys for encryption and MAC.)

Related questions

how to securely store encryption keys in android?

I want to know how to securely store encryption key in Android? What is the best scenario to protect encryption and secrete keys?

Read More
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. Android 2.3

In my server (production server), I have a goDaddy ssl certificate. I have both iOS and Android apps connecting with the server, iOS connecting with no problems, android with versions 4.* everything is good, but with devices with 2.3.* I always get …

Read More
Android RSA Keypair Generation - Should I use Standard Java/Bouncy Castle/Spongy Castle/JSch/Other?

I've been looking around for about a week+ to implement a method I have in mind. I have came across (and read) many articles on all of these different methods, but I am still left confused, so I was hoping …

Read More