Archived Forum Post

Index of archived forum posts


Q: IV for AES always 16 bytes

Apr 24 '16 at 22:56

Playing with AES encryption and I want to ask what happens if we use the IV like a "Password", but it is chosen less 16 Bytes from the user :-/

From the examples:

//  Set the IV to a known value that will be used on both sides.
    //  (If desired, you could generate a random IV and protect it in the same
    //  way as the key...)
    //  The length of the IV for AES is always 16 bytes, regardless of the key size.

Accepted Answer

If the encryption needs 16 bytes, then you must give it 16 bytes. You could hash the supplied password using MD5+salt to get a 16-byte IV for any input. The salt is there to help protect against rainbow dictionary attacks. For example, this air-code:

input = "user supplied pass";
md5 = md5hex("random salt" + input);
crypt.SetEncodedIv(md5, "hex");


Thanks jpbro. Yes, that is a good solution. If you don't give it the full 16 bytes, or if you give it garbage, such as this: crypt.SetEncodedIV("Password","hex"); -- which is garbage because "Password" is not valid hex, then you're open to undetermined results. When doing any sort of cryptography, always be exact and don't leave anything to chance..