Thank you! The only question I have - how receiving part will know IV? Do we send IV with message itself every time? Is IV visible for "everyone" or encrypted as well. :)? What is best practice? Thanks a lot.
Yes you have to send it with the message itself. And it is not encrypted. You can put it at the Fron of the message. You can just put it at the front. Even if they know what bytes are the iv they won't be able to determine the secret key
supposed that i capture the encrypted message 500 with IV of 3 then resend it back to the server then I would still win the game. I just have to capture the encrypted message every time I win, it does not matter if the message is different every time I win, i just resend that encrypted message and still win. Is the IV sent along with the encrypted message? Is the IV one time use only?
@@cimbot yes that's correct, and how you send the iv is secret. So it could be appended to the back, or it could be put at the front, or he could do something crazy like every other character is the iv
Why not use random key then? Basically you just used pair (IV, Key) as new Key, and it is as random as IV, so what is the point of keeping one part fixed, when you always use it in bundle with random part?
The receiver needs to know the key in order to decrypt the message. If you used a random key then it would just be another IV. The key is randomized, it's just not randomized every message. The whole point is that the key is something special that the receiver needs and that we can hopefully give to them in a way that someone who is reading all of the messages in between us will not have access to. For example, we might bundle the key in the source code of the program rather than having to send a key over the network. So that even if they can see all of the internet packets, we are passing back and forth which will include the IV and the message itself. It will not include the key. They would have to hack the client to to get the key.
You should all be asking why now: Why not only rely on a random seed? IV+Key is just one password. You can remove key and only use a random IV and will end up with the same result. Key would just be there if you don't want to generate larger random numbers at the expense of security.
It you need a certain amount of information e.g. 512 bits and you want to use 256 bits as a static key e.g. 32 letters you can use one half of the 512 bits as the static key which means the second half must be random. You see? Having two parts makes no sense, its stupid. Just forget about the static key and use 512 random bits which you can use to feed two algorithms. Having a static key which you reuse is just one more point of failure if you use not enough random bits of cause. Also handling the information of the static part is another unnessary problem.
You send the iv with the message. It is a known size, so how you send it is up to you. You could send it as the first x amount of characters in your message. Or the last x characters. Or maybe every other character for the first 2x characters is part of the iv.
@@matthewventures ok, so we do not send IV separately, we mix it up in final encrypted message. And server-end knows how to extract IV from encrypted message also, it must also have information about the key and the algorithm to decrypt the message using both IV and key.
Thanks. It is very informative. I have a few doubts though - 1. if we are generating IV on client-end then how will the server decrypt the message correctly ? 2. if we be generating a new IV each time we have to send a new message. Then how will we keep track of those IVs on both client-side and server-side ?
The iv is like a public key basically. So we simply tell the server what that key is, each message will have its own IV. You send the IV with the message, it's part of the same payload
Yes you have to send the iv. From my understanding the standard practice is that you don't even encrypt the iv. So I think it is sufficient to just send it in the front of your payload. But it's basically like a public password if you want to think of it that way, as if you have a public password and a private password
@@matthewventures so if IV is the 'public password' and encrypted message is the 'private password' then, is the algorithm used to achieve the encryption the hidden link which hackers need to decode ? and what about key. Does server know the key in this case ?
@@samartajshaikh2601The algorithm is known to everyone. What's secret is the key that the both parties share and don't send to each other. They only send the iv. Also hi, I'm currently trying to write an encrypted chat program from scratch for fun and I randomly stumbled on this video while learning about these things.
If IV is public then the player can guess the key again: 1. IV=4, Message=600 2. IV=3, Message=500 It is very clear that each increment in IV results in 100 increment in message.
