Reputation: 3510
Initialization Vector Creation
My program connects to a server, the public key of the server is already known. The program then encrypts a AES key together with an initialization vector, and sends it to the server. The server decrypts the message and from now on AES is used to encrypt the conversation.
My question is about how to generate the IV. If I go the naive way and seed a pseudo random generator with the current time, an attacker could probably make a few very good guesses about the IV, which is of curse not what I want.
As hardware random generators are not only slow, but also not available everywhere, I'd like to go for a different approach. When the client program is first started, I let the user make a few random mouse moves, just like TrueCrypt does. I now save those "random bits" created by the mouse movement and when I need a generator, I'll use them as a seed. Of course, the random bits have to get updated every time I use them as seed. And this is my question: I thought about just saving the first few random bits generated as the new "random bits". (So they get used to initialize the random engine next time the software starts.) Now I'm not sure if this would be random enough or if pseudo random generators would show guessable patterns here. (I'd probably use std::mt19937 http://en.cppreference.com/w/cpp/numeric/random)
Edit: The chaining mode changes, so I want it to work for the mode with the "highest" requirements. Which would be CBC if I remember correctly.
Please note: The software I'm writing is purely experimental.
Upvotes: 1
Views: 1130
Answers (3)
Reputation: 7786
You should clarify which chaining mode you plan to use. The security requirements for the initialization vector strongly depend on that.
For instance, in CBC mode the IV must be unpredictable and unique. For CTR mode, it can must only be unique, not necessarily unpredictable.
Upvotes: 1
Reputation: 108880
Use a cryptography PRNG, just like you do for the key.
On windows use CryptGenRandom/RtlGenRandom and on Linux/Unix use /dev/urandom. Those get seeded by the OS, so you don't need to take care of it.
If you really want to create your own PRNG, look into Fortuna. Don't use a Mersenne twister.
Upvotes: 2
Reputation: 1328
Pseudo-random generators are nice for things where you don't want users to be able to predict the outcome (such as dice rolls in games), but worthless for cases where you don't want a computer to be able to compute it. For cryptography, don't use pseudo-randomness at all.
If you want randomness, you need actual random data. As you write, mouse movements are a good source for that. Given that you don't talk about /dev/random, I take it you're running on Windows, which unfortunately doesn't gather randomness while running. So you will have to do this yourself. Depening on the use case, you can run a randomness daemon at startup which keeps gathering random data and allows your program to retrieve it when it is needed, or you can ask the user to make some mouse movements when your program starts.
Or you can decide that if Windows doesn't want you to have real random data, you don't want to use Windows, but I suppose that's not an option. ;-)
Upvotes: -1
Related Questions
- Generating random IV for AES in Java
- AES encryption how to transport IV
- Vector Initialization
- Encryption Initialization Vector
- Characteristics of an Initialization Vector
- AES counter mode - encryption library has hard-coded its initialization vector
- Initialization Vector on Cryptography
- Can anyone suggest the pattern of Initialization Vector for AES 128
- AES init vector
- Generate an initialization vector without a good source of randomness