AES-256 Encryption Best Practices

[William Prothero]

Brian:
Ahhh, ok, I get it. It’s easy to re-seed every time it’s called, using the milliseconds. That assumes that the user of the program initiates the action at a random time. 

I’ll change the code so it re-seeds every time.

Best,
Bill

> On Jul 3, 2018, at 7:02 PM, Brian Milby via use-livecode <use-livecode at lists.runrev.com> wrote:
> 
> The problem is that with a known IV and the code, the next IV can be
> predicted if using the random function. If the generator was reseeded every
> time an IV was generated, that would remove the advance prediction issue. I
> didn't mean that the first IV could be guessed.  Exploitation would be
> difficult and I believe even requires the attacker to be able to inject
> plain text to be encrypted.
> 
> On Jul 3, 2018, 1:24 PM -0400, Rick Harrison via use-livecode <
> use-livecode at lists.runrev.com>, wrote:
> 
> Hi Brian,
> 
> I think it would be pretty hard to do based on the time.
> One would have to do the calculation in advance and
> hope that the program caught the server at exactly
> the correct millisecond. As you also pointed out the
> hacker would also have to have access to the code.
> 
> If you generate your own random seed with a counter
> it should not count by 1’s. The step count ideally should
> be random as well.
> 
> Good discussion!
> 
> Thanks,
> 
> Rick
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode