How to communicate AES initialization Vector to client for hybrid cryptosystem

Question

I need to implemented security for client-server communication. I have implemented the following hybrid cryptosystem

To encrypt a message addressed to Alice in a hyb

Answer 1

I've done the same thing, and I handled it the same way - concatenate the AES key with the IV and encrypt them both.

You could also just send the key and use the key itself to generate an IV - for example by using the first 128 bits of a hash of the key as the IV. That should be OK security-wise as long as you are generating a new AES key for each session and not re-using the same AES key over and over with the same IV.

Answer 2

You don't encrypt the IV. Bundle it with the encrypted key and send it (in the clear) to the recipient.

Standards for this do exist. This scheme is called "KeyTransRecipientInfo" in CMS (upon which S/MIME is based), and PGP offers a similar mode. TLS also includes the initialization vector as a parameter in the key encryption algorithm identifier, using the same ASN.1 syntax as CMS. A robust, open-source library to perform this operation is available for many, many platforms.

At the very least, studying the CMS specification might help avoid some of the many pitfalls in a home-brew implementation. See §6.1 and §6.2.1 of RFC 3369.

Answer 3

There is no reason to encrypt the IV - you can send that in the clear. Just make sure you pick a new one each time (the same way you do the AES key).

That said, it is often convenient to package the AES key and IV together. Encryption of 16 bytes ain't that expensive.