Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No, it doesn't need to be random if the key is used only once.

PS The author didn't just copy something from a tutorial without knowing what he was doing, he actually asked for advice https://github.com/excalidraw/excalidraw/issues/610



Hm, I stand corrected!

Though I have two thoughts on that:

1. It wouldn't add very much complexity to implement random IV's. You can send it with the ciphertext, or in the generated URL. In my own project, I use btoa(JSON.stringify({ key: generatedKey, iv: randomIv })) and reverse the operation when the URL is accessed:

  const fragmentData = window.location.hash.substr(1);
  const keyParameters = JSON.parse(atob(fragmentData));
  const key = HexMix.hexToUint8(keyParameters.key);
  const iv = HexMix.hexToUint8(keyParameters.iv);
Edit: I'm also converting the key/iv to hexadecimal. Don't remember why, but that's not necessary lol.

Edit #2: Ah-ha, and now I've learned something else from the Excalidraw team; I can skip my hex/uint & base64 conversions if I export the key as jwk.

2. There are a _lot_ of tutorials out there that incorrectly reuse the key with a fixed IV. I was more concerned about this being yet another tutorial that someone blindly follows and ends up reusing the key regardless.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: