DEV Community

Discussion on: End-to-End Encrypted Chat with the Web Crypto API

Collapse
yoursunny profile image
Junxiao Shi

Last time I designed a system using random IV with AES-GCM and it got rejected in security review. Crypto expert says IV must have three parts:

  • Sender identifier. Suppose two parties are using the same key, 1 bit should be used to identify the encrypting party.
  • Random bits, 64 bits minus sender identifier.
  • Counter bits, 32 bits. Start from zero, incremented for each AES block (not message). Key must be rotated when the counter reaches maximum.