AES Key Generation (128, 256 byte)


(Sadhasivam) #1

Hi Friends,

For our encryption key strategy we need to generate AES 256 key, Init vector using GoLang Crypto modules. any pointers or advice on how to generate AES 256 or 128 bit keys as service level API


(Matt Silverlock) #2

Which mode? There are a number of examples in the docs: https://golang.org/pkg/crypto/cipher/#Block

Further, does secretbox (https://golang.org/x/crypto/nacl/secretbox) not cover your use case? How will you authenticate your ciphertext?


(Jakob Borg) #3

As Matt says, using secretbox is probably better if you’re unsure about the issues around this as you’re more likely to get it right that way.

Otherwise, generally speaking you want the key and IV to be as random as possible. Reading bytes from crypto/rand should suffice for this. If you need to base the key on something given by the user, such as a pass phrase, then you want to use a key derivation function - PBKDF2 is one such.


(Sadhasivam) #4

Thanks for the input Matt & Calmh,

I try to follow secretbox , crypto/rand & cipher i am not able to get some desired results. all we have to do is to generate dynamic AES keys on each run of the program. so that our other services can encrypt using that key which we can decrypt and viceversa.

with the APIs shared i am not sure how to obtain AES-Keys

i tried this:

b = make([]byte, 32)
block, err := aes.NewCipher(b)

but i am not sure how to get the Actual Key ( usually base64encoded after the Blob value) from the Cipher Block.

thanks in advance


(Matt Silverlock) #5

If you randomly generate keys on each end, how do you share them?

It might be better to explain what you are trying to achieve rather than how you have decided to achieve it.


(Sadhasivam) #6

Thanks Matt, here is our virtual requirement.

We have a number of growing clients which requires standard encryption pattern ( AES-256/126 bit keys). Some of them are internal and some of them internal.

The key can be created on initial client setup or Re-Issued on a defined period of time.

In the past, we used Salesforce which manages keys & other details. Generation of keys also much easier by having a single API (Blob key1 = Crypto.generateAesKey(128); & base64 encode it ).

Going forward we are trying to automate this process by coming with Crypto Server which generates keys , stores it to our Vault DB & manage it.

Somewhat similar to the Site (http://randomkeygen.com/) but we need this in Golang. REF: CodeIgniter Encryption Keys section of the page.

In the past we used Salesforce where we had a Staright forward API to generate a Unique AES keys. i am try to do the same in GoLang.

thanks


(Matt Silverlock) #7

The “key” is whatever you generate from crypto/rand - in your case, a []byte from rand.Read. The number of bytes will depend on whether you’re using AES-128 (16 byte key) or AES-256 (32 byte key).

However, you also need to decide what mode of AES you’re using. I strongly, strongly suggest you use secretbox — I don’t mean to be rude (at all), but if you’re handling key material and you don’t know how to generate an AES key (or which mode you’re using), then you’re potentially creating a security risk for your customers.

In short:

  1. Re-think your approach (why do you need to encrypt things? Can you not use another service?)
  2. If you must, use secretbox, and generate keys securely
  3. Store the keys securely (this is non-trivial).

(system) closed #8

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.