AES-256 Encryption Best Practices
waprothero at gmail.com
Wed Jul 4 07:41:46 CEST 2018
Ahhh, ok, I get it. It’s easy to re-seed every time it’s called, using the milliseconds. That assumes that the user of the program initiates the action at a random time.
I’ll change the code so it re-seeds every time.
> On Jul 3, 2018, at 7:02 PM, Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
> The problem is that with a known IV and the code, the next IV can be
> predicted if using the random function. If the generator was reseeded every
> time an IV was generated, that would remove the advance prediction issue. I
> didn't mean that the first IV could be guessed. Exploitation would be
> difficult and I believe even requires the attacker to be able to inject
> plain text to be encrypted.
> On Jul 3, 2018, 1:24 PM -0400, Rick Harrison via use-livecode <
> use-livecode at lists.runrev.com>, wrote:
> Hi Brian,
> I think it would be pretty hard to do based on the time.
> One would have to do the calculation in advance and
> hope that the program caught the server at exactly
> the correct millisecond. As you also pointed out the
> hacker would also have to have access to the code.
> If you generate your own random seed with a counter
> it should not count by 1’s. The step count ideally should
> be random as well.
> Good discussion!
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
More information about the use-livecode