DEV Community

Discussion on: End-to-End Encrypted Chat with the Web Crypto API

Collapse
cardoso profile image
Matheus Cardoso Author • Edited on

Hi! Thanks a lot for the feedback. I missed this information while doing my very superficial research about AES-GCM (I just saw it wasn't sensitive, but didn't see it had to change every time). I'm currently changing the tutorial's approach to this and removing the misleading info.

Edit: done

Collapse
yoursunny profile image
Junxiao Shi

Last time I designed a system using random IV with AES-GCM and it got rejected in security review. Crypto expert says IV must have three parts:

  • Sender identifier. Suppose two parties are using the same key, 1 bit should be used to identify the encrypting party.
  • Random bits, 64 bits minus sender identifier.
  • Counter bits, 32 bits. Start from zero, incremented for each AES block (not message). Key must be rotated when the counter reaches maximum.