AES加密 - 密钥与IV [英] AES Encryption - Key versus IV
问题描述
我正在处理的应用程序让用户加密文件。文件可以是任何格式(电子表格,文档,演示文稿等)。
The application I am working on lets the user encrypt files. The files could be of any format (spreadsheet, document, presentation, etc.).
对于指定的输入文件,我创建两个输出文件 - 加密数据文件和一个关键文件。您需要这两个文件才能获取原始数据。密钥文件只能在相应的数据文件上工作。它不应该在同一用户或任何其他用户的任何其他文件上工作。
For the specified input file, I create two output files - an encrypted data file and a key file. You need both these files to obtain your original data. The key file must work only on the corresponding data file. It should not work on any other file, either from the same user or from any other user.
AES算法需要两个不同的加密参数,一个键和一个初始化向量(IV)。
AES algorithm requires two different parameters for encryption, a key and an initialization vector (IV).
我看到创建密钥文件的三个选择:
I see three choices for creating the key file:
- 在应用程序中嵌入硬编码的IV,并将密钥保存在密钥文件中。
- 在应用程序中嵌入硬编码的密钥,并将IV保存在密钥文件中。
- 将密钥和IV保存在密钥文件中。
请注意,它是相同的应用程序被不同的客户使用。
Note that it is the same application that is used by different customers.
似乎所有三个选择都将达到同样的最终目标。但是,我想得到您对正确方法的反馈意见。
It appears all three choices would achieve the same end goal. However, I would like to get your feedback on what the right approach should be.
推荐答案
从其他答案可以看出,每个加密文件都有唯一的IV是至关重要的,但为什么呢?
As you can see from the other answers, having a unique IV per encrypted file is crucial, but why is that?
首先,我们来看看为什么每个加密文件的唯一IV是重要的。 (维基百科IV))。 IV在您的加密过程开始时增加了随机性。当使用链接块加密模式(其中一个加密数据块包含先前的加密数据块)时,我们在第一个块中留下了一个问题,这是IV进入的地方。
First - let's review why a unique IV per encrypted file is important. (Wikipedia on IV). The IV adds randomness to your start of your encryption process. When using a chained block encryption mode (where one block of encrypted data incorporates the prior block of encrypted data) we're left with a problem regarding the first block, which is where the IV comes in.
如果没有IV,并且只用你的密钥使用链接块加密,则以相同文本开头的两个文件将产生相同的第一个块。如果输入文件在中途更改,那么两个加密文件将从该点开始看起来不一样,直到加密文件的末尾。如果有人在开始时注意到相似之处,并且知道其中一个文件是从哪里开始的,那么他可以推断出其他文件开始的。知道什么是明文文件开头,什么是对应的密文可以允许该人确定密钥,然后解密整个文件。
If you had no IV, and used chained block encryption with just your key, two files that begin with identical text will produce identical first blocks. If the input files changed midway through, then the two encrypted files would begin to look different beginning at that point and through to the end of the encrypted file. If someone noticed the similarity at the beginning, and knew what one of the files began with, he could deduce what the other file began with. Knowing what the plaintext file began with and what it's corresponding ciphertext is could allow that person to determine the key and then decrypt the entire file.
现在添加IV - 如果每个文件使用随机的IV,他们的第一个块将是不同的。上述情况已经被挫败了。
Now add the IV - if each file used a random IV, their first block would be different. The above scenario has been thwarted.
现在,如果每个文件的IV是一样的?那么我们再次遇到了问题。每个文件的第一个块将加密到相同的结果。实际上,这与使用IV无关。
Now what if the IV were the same for each file? Well, we have the problem scenario again. The first block of each file will encrypt to the same result. Practically, this is no different from not using the IV at all.
所以现在让我们来看一下你提出的选项:
So now let's get to your proposed options:
选项1.在应用程序中嵌入硬编码的IV,并将密钥保存在密钥文件中。
Option 1. Embed hard-coded IV within the application and save the key in the key file.
选项2.嵌入硬应用程序中的编码密钥,并将IV保存在密钥文件中。
Option 2. Embed hard-coded key within the application and save the IV in the key file.
这些选项几乎相同。如果以相同文本开头的两个文件生成以相同密文开头的加密文件,那么您就会被遗忘。这两个选项都会发生。 (假设有一个主密钥用于加密所有文件)。
These options are pretty much identical. If two files that begin with the same text produce encrypted files that begin with identical ciphertext, you're hosed. That would happen in both of these options. (Assuming there's one master key used to encrypt all files).
选项3.将密钥和IV保存在密钥文件中。
Option 3. Save both the key and the IV in the key file.
如果您为每个密钥文件使用随机 IV,那么你是好的。没有两个密钥文件将是相同的,每个加密的文件必须有它的密钥文件。一个不同的密钥文件将无法正常工作。
If you use a random IV for each key file, you're good. No two key files will be identical, and each encrypted file must have it's key file. A different key file will not work.
PS:一旦你选择3和随机的IV - 开始研究如何确定解密是否成功。从一个文件中取出一个密钥文件,并尝试使用它来解密不同的加密文件。您可能会发现解密继续进行并产生垃圾结果。如果发生这种情况,请开始研究验证加密。
PS: Once you go with option 3 and random IV's - start looking into how you'll determine if decryption was successful. Take a key file from one file, and try using it to decrypt a different encryption file. You may discover that decryption proceeds and produces in garbage results. If this happens, begin research into authenticated encryption.
这篇关于AES加密 - 密钥与IV的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
