Envelope formats to store (symmetric) encrypted text

Question

We have decided to use AES to cipher user data. So for every data chunk we have the crypted text along with the SALT. Now we have to store both of them in the database and we do not want to separate the SALT from crypted text in different columns.

So I'm searching for some standard (like PEM for keys or PKCS#7 for PKI envelope) to store the encrypted message (it is already in Base64 format) along with the SALT in a unique text field.

I think something like the following:

---- BEGIN ENVELOPE ----- salt: d23sda923uasd989s FHb/UR2Vfut0hQ8IG+P3mXy0sIVxJUpmTp3xzxOhTsjefkH/EAnRn9FgIn5rjIt5CLfU7Ou2zLcL2Ldg Ck2xHeYqNlNg6WobvJDs4iLxkfKdkoxGfDW3s/ImqxG3VecpzeXNhkbVwr+HxnUa3gRDNY71rN463/Sj REYn7j0sFButndPCxIeqbtX0upMuHhKnEBEwRpkcGeLsbDAPUU74UuL+7UriC2LZFm1oDdi3j6zzZsNY JwQAQ4dduzMqeOrmBsnj1KaRZgLJd0UbHLwFOUuV4pqgNP0iFOc0g137W/nsum37tCS8RTm41S8Wk6qb daEXPfXtQYdQ8p1/nfLv18TxFPUVwW8owC0J9ol9cYMGzsN/cY8tLKWe3JG5lS4nVB0dOjFkKPugSBw6 owCM0yADQYtbkhWXGZHr7xiL+ytKUD9xA8r0BFn0EZCCChsMlXSSsJ2PohAT83jyIXQX10mW31fBCW68 nsETdjItEg3urjBVjOAve+p/Sb0oj8Y2rDuomEQOHrN+wjZZj/atRYHdwA5qlhOojmvVED5YxJUCI2YB j9pMet1IiW340JCXWsK+8N4CwlNHy57YJTP94= ---- END ENVELOPE -----

thanks

What do you use the salt for? I am asking, because a salt is usually used for hashing and not for encryption. Is it used as a nonce/IV? — mat, May 04 '17 at 10:47
Yes i think it's a sort of nonce. I'm using the Sping Secuirty project with BouncyCastle binding. The directive is the following: BouncyCastleAesCbcBytesEncryptor(String password, CharSequence salt, BytesKeyGenerator ivGenerator) — robob, May 04 '17 at 13:00

score 2 · Accepted Answer · edited Oct 07 '21 at 07:59

2

The standard format for storing encrypted data is the Cryptographic Message Syntax (CMS), a.k.a. PKCS#7. Encrypted data contains a ContentEncryptionALgorithmIdentifier, which has to contain the type of encryption used (for instance AES-128-CBC) and all parameters neccesary to decrypt it (for instance an IV). The ASN.1 types for the AES-CBC encryption are defined in RFC 3565.

edited Oct 07 '21 at 07:59

Community

1

answered May 04 '17 at 14:48

mat

1,243
7
14

Do you have any advice on what to use in Java to implement that RFC? I'm using BouncyCastle for other things but it's hard to find examples on the topic – robob May 08 '17 at 04:52
1

BouncyCastle is definitely capable of doing that. – mat May 08 '17 at 07:32

Envelope formats to store (symmetric) encrypted text

1 Answers1