<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Gentlefolk,<div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>I am writing an app that encrypts files. Based upon private communications with members of this list and other crypto recommendation documents, the common advice is that I should use AES counter mode. What should my IV be? I’ve read one IETF standard that puts random bytes in the upper 64 bits and 1 in the lower 64 bits. My naïve view is that I should just choose the same number of random bytes, 16, for the IV as I do for a CBC mode. This is for a file whose length is limited, by the platform API, to an unsigned long long size (i.e. 64 bits). My concern is unsigned overflow of the IV. In practice, this is only ever a problem when the top 68 bits of the IV are all 1s. I can easily test for this situation and just ask the random number system for a new 128 bits. Of course, this is an infinitesimal reduction in the numbers available for an IV (2^128 - 2^60 or thereabouts).</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>The bigger question is, I think, that the above problematic IV has lower entropy than I think it should. Perhaps I should be putting my random IV bytes through some kind of entropy test before using them? (Picking the IV is a rare event and much faster than writing the data to the file. Hence, testing before using is totally practical.) This, by design, reduces the pool of values from which the IV can be chosen, albeit in a non-deterministic fashion. Any recommendations of which entropy test to use?</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>Or is this not an issue? To hamper plaintext attacks, I suspect it is.</div><div class=""><br class=""></div><div class=""><span class="Apple-tab-span" style="white-space:pre"> </span>This group’s sage advice is welcome and thankfully acknowledged in advance.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Anon,<br class="">Andrew<br class="">____________________________________<br class="">Andrew W. Donoho<br class="">Donoho Design Group, L.L.C.<br class=""><a href="mailto:awd@DDG.com" class="">awd@DDG.com</a>, +1 (512) 750-7596, <a href="http://twitter.com/adonoho" class="">twitter.com/adonoho</a><br class=""><br class="">Essentially, all models are wrong, but some are useful.<br class=""><span class="Apple-tab-span" style="white-space: pre;"> </span>— George E.P. Box</div>
</div>
<br class=""></div></body></html>