0

Let's say, Alice uses AES256-CBC to encrypt some data. The key for encryption is derived using PBKDF2, where password is some passphrase Alice and Bob agreed on (using DH) and salt is random generated (using /dev/urandom for now)*. The IV for the CBC is generated the same way as the salt.

Now Bob receives the cipher and would like to authenticate it, so he can tell for sure, that the message really came from Alice (or anyone else who knows the passphrase). Should Alice encrypt the data first, use the derived key as password, the cipher as message and append/prepend the result to the cipher? Or she ought to use the derived key as password, the plain text as message, prepend the HMAC to the plain text and encrypt?
(There is a lot of related questions and answers, I am just confused what to use when and what are the pros and cons)

Another problem I'm struggling with is, how will Bob get the IV and the salt which were randomly generated at encryption time?

Last problem I'm trying to solve is, when Bob will decrypt the cipher, how can he know the password he entered is correct, without decrypting all of the data?

*Is /dev/urandom secure enough to generate random salt and IV?

Just to clarify, I don't intend to use this implementation in real world situation, this is purely for educational purpose

ProXicT
  • 135
  • 5
  • 1
    For urandom see e.g. http://security.stackexchange.com/questions/3936/is-a-rand-from-dev-urandom-secure-for-a-login-key – aventurin Sep 13 '16 at 21:01

1 Answers1

3

Now Bob receives the cipher and would like to authenticate it, so he can tell for sure, that the message really came from Alice (or anyone else who knows the passphrase).

Bob should be using an AEAD mode of AES, full-stop. GCM is the go-to candidate for this, rolling your own CBC+HMAC mode is also possible, but should be used as a last resort and only if you emphatically know what you're doing.

Another problem I'm struggling with is, how will Bob get the IV and the salt which were randomly generated at encryption time?

IVs and salts are not secret. Send them with the ciphertext.

Besides your direct question, it looks like you're trying to wire together your own transport encryption protocol. I strongly recommend you just use TLS instead. Barring that, I'd recommend using libsodium's out-of-the-box AEAD modes instead of rolling your own.

Community
  • 1
Stephen Touset
  • 11,002
  • 1
  • 38
  • 53
  • As I said, I do that just for educational purpose and don't intend to use this implementation in real world situation. My question about the authentication might seem a little bit unclear. I do want to implement my own CBC+HMAC, I just don't know which way. This part of question is strongly related to my other question, how can I tell if the password is incorrect when decrypting, without decrypting all of the data? And is that even right approach? Thanks for clearing out the Salt and IV, I thought it must be kept in secret.. – ProXicT Sep 14 '16 at 08:24
  • 1
    Sorry, I missed the part where this was for educational purposes. My link should have more information on how to roll your own CBC+HMAC. The entire point of the HMAC (or authenticated modes in general) is that you can validate the authenticity of all the inputs before decrypting, which answers the other part of your question. – Stephen Touset Sep 14 '16 at 19:04
  • Thank you very much! The last sentence was really important for me, can you add that to your answer so it is more visible? Have a great day! – ProXicT Sep 15 '16 at 00:15