Mark, Pardon me for being dense. But if you send an iv with the data, can’t a hacker obtain and use that iv to support hacking the encrypted data?
What I understand, possibly erroneous, is that a Dictionary attack involves trying all possible combinations of a key. A 32 char key would have 2**(32*8) combinations. The iv vector increases the possible combinations to [2**(32*8)]*[2**(16*8)] and makes dictionary attacks much less practical.. Now I’m wondering whether I’m understanding what the iv does. If the iv for data with an unknown key, is known, can’t that iv be used to reduce the number of possible combinations of keys back to the 2**(16*32) value, making the use of an iv irrelevant? I am going to google this to see if I can get more info, but please chime in if I am on the wrong track. Best, Bill Bill William Prothero http://earthlearningsolutions.org > On Jun 28, 2018, at 12:30 PM, Mark Wieder via use-livecode > <use-livecode@lists.runrev.com> wrote: > >> On 06/28/2018 09:17 AM, William Prothero via use-livecode wrote: >> >> I understand Mark’s comment about putting the key and IV vector in the >> .htaccess file. I will do this as soon as I figure out if I’ve destroyed my >> server by deleting all files in the /etc/httpd directory by mistake (I was >> trying to set an environment variable in that directory and ….. arg…l). >> However, if IV is a random vector, I don’t understand how the php code that >> accesses the mySQL db would decode the commands and data. The setup would be >> different for password verification because it doesn’t need to be decoded to >> be verified. However, for access to a mySQL server, it needs to be decoded >> on the server. My understanding was that the function of the IV was to >> increase the number of possible keys to make a dictionary attack less >> feasible. Also, my php docs say the IV should be 16 bits. I haven’t tried >> more, but I do get an error message complaining about IV not being 16 bits. > > There's no requirement for the initialization vector to be private, just that > it is unique among all messages using the same encryption key. It can be > posted to the server along with the encrypted data. Thus you can use a new > randomized iv for each post, and the php code on the server would take the > posted iv and use it with the already-known encryption key to decrypt the > data. > > Ignore my comment about 16 bits. You're supplying an iv of 16 *bytes*, which > is 128 bytes. That's standard for normal use. If you want to get serious > about it, you could double the length. > > -- > Mark Wieder > ahsoftw...@gmail.com > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
