Why rijndael.key value is different with rijndael.iv?

Question

someone can tell me how rijndael works?

for now i need to handle key and iv generated from C# (using rijndael + rfc2898derivebytes) to match with CryptoJS

code snippet of C#:

byte[] saltArray = Encoding.ASCII.GetBytes("20190925");
Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes("password", saltArray, 1000);
rijndael.Key = pdb.GetBytes(32);
//output c1b34ea814586db4a22dad37e11c7256322ab0eee3a14ed1898f93d7a264242f
rijndael.IV = pdb.GetBytes(16);
//output 063ead20a9d5f35ab83e1156ebe7c099

the result of rijndael.Key and rijndael.IV is different. I thought rijndael.IV will show half of rijndael.Key value because of pdb.GetBytes(16) is half of pdb.GetBytes(32)

i can match the key of rijndael+rfc2898derivebytes using CryptoJS using below code:

let key = CryptoJS.PBKDF2('password', '20190925', {keySize:256/32, iterations:1000})
//output c1b34ea814586db4a22dad37e11c7256322ab0eee3a14ed1898f93d7a264242f

but i don't know how to get the same IV with cryptoJS. anyone has an idea?

Answer 1

By implementing your own encryption, you're doing a bunch of things wrong here. I don't know if this is a toy project to learn about encryption (nice!) or if this is supposed to be actually used by anyone, even yourself (don't do that).

The IV and key have very different functions and should not have overlapping values (the IV will be half the length, because indeed it is 16 bytes in length and the key is 32 bytes, but should absolutely not be the same value). The reason why deriving bytes from the same Rfc2898DeriveBytes object gives different results, is because it just continues the keystream. If you want the same value twice, you need to reinitialize the object so it starts again from the beginning. But that's not what you want, anyway.

The key is, well, the secret key. The IV is a unique value that is not secret, it just makes the encryption unique and allows multiple encryption operations (up to a certain number) to be done with the same key. (In algorithms that do not have an IV parameter, like RC4, using the same key twice can lead to full decryption. That's why an IV is useful and important.)

Deriving the IV from a secret key, which is what Rfc2898DeriveBytes will do, is a very bad idea. It means that the IV will be the same every time. Instead, you should generate the IV from a CSPRNG, such as Crypto.getRandomValues() in JavaScript or RNGCryptoServiceProvider in C#. You can attach the IV value to the encrypted value, typically in front of it so that you don't have to read the whole message to configure your algorithm.

All this can already be found in other questions. See:

• AES using derived keys / IVs. Does it introduce a weakness?
• When using AES and CBC, is it necessary to keep the IV secret?
• Why does IV not need to be secret in AES CBC encryption?

Finally, you will want to be using authenticated encryption. This question explains what the role of authentication codes with encryption is: MAC vs Encryption