AES-256 Encryption Best Practices

William Prothero waprothero at gmail.com
Mon Jul 2 23:37:47 EDT 2018 

Folks:
I’ve been working on a sample stack to demonstrate encryption, best practices (as far as I can determine).
The online lessons are not adequate for a robust solution to this vital security issue. I’ve posted a demo stack at: http://earthlearningsolutions.org/google-static-maps-demo/ <http://earthlearningsolutions.org/google-static-maps-demo/>  This stack has benefited from feedback and ideas from folks on this list. Feedback is welcome.

This stack generates a random iv vector and uses AES-256 encryption to encode an array containing commands for interaction with a mySQL server. The server side php script that decodes the data and encodes the returned response is included.

On thing I am still unsure about is the best way to generate a random string of characters that I use for the random IV (initialization vector) that is used for the encryption. I’ve included some code below, which is used to encrypt and decrypt the data sent and returned from the server. The encode and decode scripts are put into the launcher, or stack that is created when a standalone or mobile version is built.

Here are the handlers. The encryption key will be more secure if it is obfuscated by putting it in as a property of a control or hidden in some way. I am wondering if the generation of the random seed is optimum.

Feedback welcome.

local theRandomSeed

function randomChrs n
   if theRandomSeed = "" then
      setRandomSeed
   end if
   put "" into tChars
   repeat with i=1 to n
      put random(256) into nChar
      put numToNativeChar(nChar) after tChars
   end repeat
   return tChars
end randomChrs

on setRandomSeed
   put (the milliseconds) into tMS
   put trunc(tMs/10000000) into tDiv
   put tMS mod tDiv into theRandomSeed
   set the randomseed to theRandomSeed
end setRandomSeed

function theRandomIV
   if theRandomSeed = "" then
      setRandomSeed
   end if
   put randomChrs(16) into tIVBytes
   return tIVBytes
end theRandomIV

--This handler encodes the data. First it generates a random
--initialization vector (iv), then encrypts the data and puts
--adds iv to the encoded data.
--tArray is an array that controls the action of the php script.
function theEncoded tArray
   put  theRandomIV() into tIV
   put base64Encode(tIV) into tB64IV
   put ArrayToJSON(tArray,"string”,”") into tJson
   put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey
   put "AES-256-CTR" into tCipher
   encrypt tJson using tCipher with key tEncryptionKey and iV tIV
   put base64encode(it) into tDataToSend
   --comment out next statement if iv not included in data
   put tB64IV&tDataToSend into tDataToSend
   return tDataToSend
end theEncoded

--This decodes the data that is returned by the php on the
--remote server.
--The iv is expected as the first 24 bytes of the returned data.
function theDecoded tData
   put byte 1 to 24 of tData into tIVB64
   put base64decode(tIVB64) into tIV
   put the number of bytes in tData into n
   put byte 25 to n of tData into tRetB64Data
   put base64decode(tRetB64Data) into tRetData
   put "AES-256-CTR" into tCipher
   put "AFBDDFCFBDBBDDCCFFACGHDFFFFEEDCC" into tEncryptionKey
   decrypt tRetData using tCipher with key tEncryptionKey and iV tIV
   put it into tReturn
   return tReturn
end theDecoded
-- End of handlers that should be in the main stack

More information about the use-livecode mailing list