ctr-mode

I understand that in AES Counter mode I need to use a 128 bit nonce. The naïve way to do that would be to use a random 128 bit nonce, but I'm not sure the algorithm will be able to increment the counter correctly if it's passed as all random bits. I thought the correct way to do it is to use a 96 bit nonce and also a 32 bit counter starting at 0, for example: var key = CryptoJS.enc.Hex.parse('01ab23cd45ef67089a1b2c3d4e5f6a7b'); // 128 bits / 16 bytes var nonce = '2301cd4ef785690a1b2c3dab'; // 96 bits / 12 bytes var counter = '00000000'; // 32 bits / 4 bytes var nonceAndCounter = nonce +

import javax.crypto.Cipher; public abstract class Crypto { private static final String CIPHER_ALGORITHM = "AES/CTR/NoPadding"; private String AesKeyString = "ByWelFHCgFqivFZrWs89LQ=="; private void setKey() throws NoSuchAlgorithmException{ byte[] keyBytes; keyBytes = Base64.getDecoder().decode(AesKeyString); aesKey = new SecretKeySpec(keyBytes, "AES"); } protected byte[] execute(int mode, byte[] target, byte[] iv) throws Exception{ Cipher cipher = Cipher.getInstance(CIPHER_ALGORITHM); IvParameterSpec ivSpec = new IvParameterSpec(iv); cipher.init(mode, aesKey, ivSpec); return cipher.doFinal

I would like to encrypt the cookies that are written by a webapp and I would like to keep the size of the cookies to minimum, hence the reason I picked AES/CTR/NoPadding. What would you recommend to use as IV that's random enough and still keep the app stateless. I know that I can just generate a random IV and append it to the message, but that will increase the size of the cookie. In addition, what's the recommended size of IV for 128-bit AES? How else is everyone doing this? Do any "tried and true" ways exist? I don't want to reinvent the wheel. Thomas Pornin CTR security requires that you