AES-256 Encryption Best Practices

Tom Glod tom at
Tue Jul 3 00:57:58 EDT 2018

i will be looking at this thank you William.

On Mon, Jul 2, 2018 at 11:37 PM, William Prothero via use-livecode <
use-livecode at> wrote:

> Folks:
> I’ve been working on a sample stack to demonstrate encryption, best
> practices (as far as I can determine).
> The online lessons are not adequate for a robust solution to this vital
> security issue. I’ve posted a demo stack at:
> <http://
>>  This stack has
> benefited from feedback and ideas from folks on this list. Feedback is
> welcome.
> This stack generates a random iv vector and uses AES-256 encryption to
> encode an array containing commands for interaction with a mySQL server.
> The server side php script that decodes the data and encodes the returned
> response is included.
> On thing I am still unsure about is the best way to generate a random
> string of characters that I use for the random IV (initialization vector)
> that is used for the encryption. I’ve included some code below, which is
> used to encrypt and decrypt the data sent and returned from the server. The
> encode and decode scripts are put into the launcher, or stack that is
> created when a standalone or mobile version is built.
> Here are the handlers. The encryption key will be more secure if it is
> obfuscated by putting it in as a property of a control or hidden in some
> way. I am wondering if the generation of the random seed is optimum.
> Feedback welcome.
> local theRandomSeed
> function randomChrs n
>    if theRandomSeed = "" then
>       setRandomSeed
>    end if
>    put "" into tChars
>    repeat with i=1 to n
>       put random(256) into nChar
>       put numToNativeChar(nChar) after tChars
>    end repeat
>    return tChars
> end randomChrs
> on setRandomSeed
>    put (the milliseconds) into tMS
>    put trunc(tMs/10000000) into tDiv
>    put tMS mod tDiv into theRandomSeed
>    set the randomseed to theRandomSeed
> end setRandomSeed
> function theRandomIV
>    if theRandomSeed = "" then
>       setRandomSeed
>    end if
>    put randomChrs(16) into tIVBytes
>    return tIVBytes
> end theRandomIV
> --This handler encodes the data. First it generates a random
> --initialization vector (iv), then encrypts the data and puts
> --adds iv to the encoded data.
> --tArray is an array that controls the action of the php script.
> function theEncoded tArray
>    put  theRandomIV() into tIV
>    put base64Encode(tIV) into tB64IV
>    put ArrayToJSON(tArray,"string”,”") into tJson
>    put "AES-256-CTR" into tCipher
>    encrypt tJson using tCipher with key tEncryptionKey and iV tIV
>    put base64encode(it) into tDataToSend
>    --comment out next statement if iv not included in data
>    put tB64IV&tDataToSend into tDataToSend
>    return tDataToSend
> end theEncoded
> --This decodes the data that is returned by the php on the
> --remote server.
> --The iv is expected as the first 24 bytes of the returned data.
> function theDecoded tData
>    put byte 1 to 24 of tData into tIVB64
>    put base64decode(tIVB64) into tIV
>    put the number of bytes in tData into n
>    put byte 25 to n of tData into tRetB64Data
>    put base64decode(tRetB64Data) into tRetData
>    put "AES-256-CTR" into tCipher
>    decrypt tRetData using tCipher with key tEncryptionKey and iV tIV
>    put it into tReturn
>    return tReturn
> end theDecoded
> -- End of handlers that should be in the main stack
> _______________________________________________
> use-livecode mailing list
> use-livecode at
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:

More information about the use-livecode mailing list