AES 加密 - 密钥与 IV [英] AES Encryption - Key versus IV
问题描述
我正在开发的应用程序允许用户加密文件.文件可以是任何格式(电子表格、文档、演示文稿等).
The application I am working on lets the user encrypt files. The files could be of any format (spreadsheet, document, presentation, etc.).
对于指定的输入文件,我创建了两个输出文件 - 一个加密的数据文件和一个密钥文件.您需要这两个文件才能获取原始数据.密钥文件必须仅适用于相应的数据文件.它不应对来自同一用户或任何其他用户的任何其他文件起作用.
For the specified input file, I create two output files - an encrypted data file and a key file. You need both these files to obtain your original data. The key file must work only on the corresponding data file. It should not work on any other file, either from the same user or from any other user.
AES 算法需要两个不同的加密参数,一个密钥和一个初始化向量 (IV).
AES algorithm requires two different parameters for encryption, a key and an initialization vector (IV).
我看到了创建密钥文件的三种选择:
I see three choices for creating the key file:
- 在应用程序中嵌入硬编码的 IV 并将密钥保存在密钥文件中.
- 在应用程序中嵌入硬编码密钥并将 IV 保存在密钥文件中.
- 将密钥和 IV 保存在密钥文件中.
请注意,不同客户使用的是同一个应用程序.
Note that it is the same application that is used by different customers.
似乎所有三个选择都会实现相同的最终目标.但是,我想了解您对正确方法的反馈.
It appears all three choices would achieve the same end goal. However, I would like to get your feedback on what the right approach should be.
推荐答案
正如您从其他答案中看到的,每个加密文件具有唯一的 IV 至关重要,但为什么呢?
As you can see from the other answers, having a unique IV per encrypted file is crucial, but why is that?
首先 - 让我们回顾一下为什么每个加密文件的唯一 IV 很重要.(IV 上的维基百科).IV 为您的加密过程的开始增加了随机性.当使用链式块加密模式(其中一个加密数据块包含前一个加密数据块)时,我们会遇到关于第一个块的问题,这就是 IV 的来源.
First - let's review why a unique IV per encrypted file is important. (Wikipedia on IV). The IV adds randomness to your start of your encryption process. When using a chained block encryption mode (where one block of encrypted data incorporates the prior block of encrypted data) we're left with a problem regarding the first block, which is where the IV comes in.
如果您没有 IV,并且仅使用您的密钥使用链式块加密,则以相同文本开头的两个文件将生成相同的第一个块.如果输入文件在中途发生变化,则两个加密文件从那一点开始到加密文件的结尾将开始看起来不同.如果有人注意到开头的相似性,并且知道其中一个文件以什么开头,他就可以推断出另一个文件以什么开头.知道明文文件以什么开头以及它对应的密文是什么可以让这个人确定密钥,然后解密整个文件.
If you had no IV, and used chained block encryption with just your key, two files that begin with identical text will produce identical first blocks. If the input files changed midway through, then the two encrypted files would begin to look different beginning at that point and through to the end of the encrypted file. If someone noticed the similarity at the beginning, and knew what one of the files began with, he could deduce what the other file began with. Knowing what the plaintext file began with and what it's corresponding ciphertext is could allow that person to determine the key and then decrypt the entire file.
现在添加 IV - 如果每个文件使用随机 IV,它们的第一个块就会不同.上述情况已被挫败.
Now add the IV - if each file used a random IV, their first block would be different. The above scenario has been thwarted.
现在如果每个文件的 IV 都相同呢?好吧,我们又遇到了问题场景.每个文件的第一个块将加密为相同的结果.实际上,这与根本不使用 IV 没有什么不同.
Now what if the IV were the same for each file? Well, we have the problem scenario again. The first block of each file will encrypt to the same result. Practically, this is no different from not using the IV at all.
那么现在让我们看看您提出的选项:
So now let's get to your proposed options:
选项 1. 在应用程序中嵌入硬编码的 IV 并将密钥保存在密钥文件中.
Option 1. Embed hard-coded IV within the application and save the key in the key file.
选项 2. 在应用程序中嵌入硬编码密钥并将 IV 保存在密钥文件中.
Option 2. Embed hard-coded key within the application and save the IV in the key file.
这些选项几乎相同.如果以相同文本开头的两个文件生成以相同密文开头的加密文件,那么您就惨了.这两种情况都会发生.(假设有一个用于加密所有文件的主密钥).
These options are pretty much identical. If two files that begin with the same text produce encrypted files that begin with identical ciphertext, you're hosed. That would happen in both of these options. (Assuming there's one master key used to encrypt all files).
选项 3. 将密钥和 IV 保存在密钥文件中.
Option 3. Save both the key and the IV in the key file.
如果您为每个密钥文件使用随机 IV,那就很好了.没有两个密钥文件是相同的,每个加密文件都必须有它的密钥文件.不同的密钥文件将不起作用.
If you use a random IV for each key file, you're good. No two key files will be identical, and each encrypted file must have it's key file. A different key file will not work.
PS:使用选项 3 和随机 IV 后 - 开始研究如何确定解密是否成功.从一个文件中取出一个密钥文件,然后尝试用它来解密另一个加密文件.您可能会发现解密继续进行并产生垃圾结果.如果发生这种情况,请开始研究经过身份验证的加密.
PS: Once you go with option 3 and random IV's - start looking into how you'll determine if decryption was successful. Take a key file from one file, and try using it to decrypt a different encryption file. You may discover that decryption proceeds and produces in garbage results. If this happens, begin research into authenticated encryption.
这篇关于AES 加密 - 密钥与 IV的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
