Reputation: 3433
Handling transfer of iv (initialization vectors)
I have a site A and site B where site A needs to send sensitive encrypted data to site B for site B to decrypt. I know that its best to encrypt using a randomized cryptographic initialization vector (iv) which is unique to each secret string, but my question is:
Given the transfer is made using https, is it safe to send the iv along with the cipher text? Are there best practices to follow for transfer of the iv?
My understanding is that the iv is part of the beginning of the cipher text so I'm inclined to believe there's no real security threat in having the iv in plain sight.
Thanks!
Upvotes: 6
Views: 2011
Answers (1)
Reputation: 299265
A random IV is not a secret. It is no more sensitive than the ciphertext itself. You can transmit it along with the ciphertext without concern.
The only secret in a properly designed crypto system is the key (and obviously the plaintext). Everything else (IVs, salts, algorithms, padding, everything) is assumed be be known by attackers.
Upvotes: 11
Related Questions
- Storing the Initialization Vector - Separate field?
- Encrypt and decrypt a file with streams, using an appended initalisation vector java
- Java AES encryption/decryption procedure and usage of Initialization Vector
- AES 256 Encryption -> Changing inititialization vector slightly changes decrypted message without knowing key
- How to decrypt a message using the Vigenere Cipher
- Node.js crypto key and iv to match java SecretKeySpec / IvParameterSpec
- What encryption scheme should be used where the order of encryption and decryption doesn't matter?
- Will Initialization Vectors grow in size in the future?
- How does the receiver of a cipher text know the IV used for encryption?
- Transferring cryptographic initialization vectors