Does storing the salt along with the encrypted file break security?

7
votes

I am writing an Android application which aims to encrypt and decrypt files using AES 256. I am using AES-CBC mode and PBKDF2 for deriving the AES key from a user entered password. Also, I am generating a secure, pseudo random salt for every file's encryption key. I am storing the IV and salt with the encrypted file, so I can reread them and regenerate key later to be able to decrypt the file.

My question: Does storing the salt along with the encrypted file break security and any meaning of the salt itself? Can't an attacker knowing the salt and the IV make an offline brute force attack against the encrypted file to find out the encryption key?

2
androidsecurityaessalt

2 Answers

10
votes

The main purpose of the salt is not to be secret, but to make sure an attacker can't use shortcuts when trying to brute-force the password, like using rainbow tables (i.e. one existing table, or a new one to be used for multiple encrypted files), or brute-forcing multiple collected files (which should have different salts) at once.

As long as your password has enough entropy and the number of iterations in your key derivation function is high enough, storing the salt with the ciphertext is no problem. The salt alone will not allow anyone to decrypt the file.

Also, if you want to keep the salt secret (it then is usually called "pepper" instead of salt), you'll have to think of some mechanism to get the right salt to the one legitimately doing the decryption.

2
votes

Salt is used for one-way functions such as hashing a password.

Random IV is used for two-way functions such as encrypting data that can later be decrypted.

They both are random bytes and are used to prevent the same piece of information from producing the same result after being applied by the function. So if two people choose the same password to store their data and store the same piece of information the encrypted bytes will be different.

You can store them along side the encrypted file.

Also use more than 1 iteration with PBKDF2 or else it's fairly useless. According to Wikipedia iOS 3 uses 2,000 iterations and iOS 4 uses 10,000.