❔ AES-GCM Key Generation
Good evening!
I'd like to use
AesGcm to encrypt data, but I need a good and safe way to generate the keys. Is it okay to use Aes aes = Aes.Create() and then aes.GenerateKey() and aes.GenerateIV() and then take the values from that and use them with AesGcm or is this not recommended for any reason?
Thanks!8 Replies
Good evening!
When it comes to cryptographic key generation, it's important to use a secure and reliable method to ensure the confidentiality and integrity of the data.
In general, using the Aes.Create() method to generate an Aes object and then calling GenerateKey() and GenerateIV() to obtain the key and initialization vector (IV) can be a secure approach. However, it's important to make sure that the generated key and IV are sufficiently random and unpredictable, as this is crucial to the security of the encryption.
If the key and IV generated by Aes.Create() are cryptographically secure, then using them with AesGcm is fine. However, if you have any doubts about the security of the key generation process or if you need to ensure higher levels of security, it's recommended to use a specialized key generation tool or library that is designed specifically for cryptographic purposes.
Additionally, it's important to follow best practices when it comes to key management, such as storing the key securely and rotating it periodically, to ensure that the encryption remains secure over time.
In summary, using Aes.Create() to generate an Aes object and calling GenerateKey() and GenerateIV() to obtain the key and IV can be a secure approach, as long as the generated values are sufficiently random and unpredictable. However, for higher levels of security, it's recommended to use specialized key generation tools and follow best practices for key management.
Please do not use ChatGPT to generate answers.
Yea you can tell this is GPT because it basically just took what I told it about Aes and doesn't have any idea as to the actual security of it which is the whole point of the question
I ultimately ended up going with RandomNumberGenerator because MS say it produces cryptographically secure randomness
For the future,
Aes.Create() and Aes.GenerateKey() / Aes.GenerateIV() is fine. Wouldn't be in System.Security.Cryptography if that stuff wasn't cryptographically secure. Just make sure you are declaring the instance of Aes in a using statement as Aes implements IDisposableAwesome, thanks. I also considered another thing, not sure if you or anyone else may have an answer to it too:
Assume I am being safe and each encryption operation I'm doing has its own unique key and IV.
If I'm encrypting several individual chunks of data, and those chunks are in a known format and have a header which is identical across all chunks, and a malicious actor knows what that header is and therefore knows the first few decrypted bytes of all chunks as a result, could they use this information to significantly decrease the time it would take to brute force a key and IV pair and decrypt the rest of the content?
You should be fine here, as long as you don't use 
so take this answer with a grain of salt.
CipherMode.ECB
I am not an expert in cryptography so take this answer with a grain of salt.Yea I'm using GCM, so I thought that it would not be an issue. You response will be taken seriously for a product which will advertise itself as to be taken with a grain of salt 🤣
Thanks though, much appreciated
I'm implementing an additional layer of complexity to a product which already exists but making it clear that the security of the implementation has not been validated by a professional and no claims are made as to its actual security
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.