Is it ok to transmit an IV as a custom HTTP header?
Clash Royale CLAN TAG#URR8PPP
up vote
4
down vote
favorite
Considering an AES OFB encryption algorithm, suppose that I'm sending a message over HTTP (not HTTPS) and my message body contains the cyphertext. I'd like to know if transmitting a random initialization vector as a custom HTTP header is considered a bad practice, having into account that it's conventionally appended to the beginning of the cyphertext.
aes initialization-vector ofb
asked Aug 31 at 22:59
Lucas
233
add a comment |Â
up vote
4
down vote
favorite
Considering an AES OFB encryption algorithm, suppose that I'm sending a message over HTTP (not HTTPS) and my message body contains the cyphertext. I'd like to know if transmitting a random initialization vector as a custom HTTP header is considered a bad practice, having into account that it's conventionally appended to the beginning of the cyphertext.
aes initialization-vector ofb
asked Aug 31 at 22:59
Lucas
233
add a comment |Â
up vote
4
down vote
favorite
up vote
4
down vote
favorite
Considering an AES OFB encryption algorithm, suppose that I'm sending a message over HTTP (not HTTPS) and my message body contains the cyphertext. I'd like to know if transmitting a random initialization vector as a custom HTTP header is considered a bad practice, having into account that it's conventionally appended to the beginning of the cyphertext.
aes initialization-vector ofb
asked Aug 31 at 22:59
Lucas
233
Considering an AES OFB encryption algorithm, suppose that I'm sending a message over HTTP (not HTTPS) and my message body contains the cyphertext. I'd like to know if transmitting a random initialization vector as a custom HTTP header is considered a bad practice, having into account that it's conventionally appended to the beginning of the cyphertext.
aes initialization-vector ofb
aes initialization-vector ofb
asked Aug 31 at 22:59
Lucas
233
asked Aug 31 at 22:59
Lucas
233
asked Aug 31 at 22:59
Lucas
233
asked Aug 31 at 22:59
Lucas
233
asked Aug 31 at 22:59
Lucas
233
233
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
9
down vote
accepted
From a cryptographic standpoint, it doesn't matter how you transmit the IV. You can send it as a header, in the message body, as the path in the request method, or even the URG pointers in a few TCP packets. From the perspective of the encryption process itself, it doesn't care how it got the IV, no matter how silly the transmission method used, as long as it got it in the end.
From a web development standpoint, it's bad practice to include data that is applicable to the payload in the headers. Sending an IV in a custom HTTP header slightly increases overhead when compared to simply prepending it to the ciphertext and sending it all. You don't even need an elaborate serialization format. Just prepend the fixed-size IV and call it a day. This has the additional benefit of not breaking the HEAD method, which requests the HTTP headers but not body. I can't think of any reason why you could possibly want the IV sans ciphertext.
answered Sep 1 at 0:05
forest
1,979427
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
9
down vote
accepted
From a cryptographic standpoint, it doesn't matter how you transmit the IV. You can send it as a header, in the message body, as the path in the request method, or even the URG pointers in a few TCP packets. From the perspective of the encryption process itself, it doesn't care how it got the IV, no matter how silly the transmission method used, as long as it got it in the end.
From a web development standpoint, it's bad practice to include data that is applicable to the payload in the headers. Sending an IV in a custom HTTP header slightly increases overhead when compared to simply prepending it to the ciphertext and sending it all. You don't even need an elaborate serialization format. Just prepend the fixed-size IV and call it a day. This has the additional benefit of not breaking the HEAD method, which requests the HTTP headers but not body. I can't think of any reason why you could possibly want the IV sans ciphertext.
answered Sep 1 at 0:05
forest
1,979427
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
add a comment |Â
up vote
9
down vote
accepted
From a cryptographic standpoint, it doesn't matter how you transmit the IV. You can send it as a header, in the message body, as the path in the request method, or even the URG pointers in a few TCP packets. From the perspective of the encryption process itself, it doesn't care how it got the IV, no matter how silly the transmission method used, as long as it got it in the end.
From a web development standpoint, it's bad practice to include data that is applicable to the payload in the headers. Sending an IV in a custom HTTP header slightly increases overhead when compared to simply prepending it to the ciphertext and sending it all. You don't even need an elaborate serialization format. Just prepend the fixed-size IV and call it a day. This has the additional benefit of not breaking the HEAD method, which requests the HTTP headers but not body. I can't think of any reason why you could possibly want the IV sans ciphertext.
answered Sep 1 at 0:05
forest
1,979427
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
add a comment |Â
up vote
9
down vote
accepted
up vote
9
down vote
accepted
From a cryptographic standpoint, it doesn't matter how you transmit the IV. You can send it as a header, in the message body, as the path in the request method, or even the URG pointers in a few TCP packets. From the perspective of the encryption process itself, it doesn't care how it got the IV, no matter how silly the transmission method used, as long as it got it in the end.
From a web development standpoint, it's bad practice to include data that is applicable to the payload in the headers. Sending an IV in a custom HTTP header slightly increases overhead when compared to simply prepending it to the ciphertext and sending it all. You don't even need an elaborate serialization format. Just prepend the fixed-size IV and call it a day. This has the additional benefit of not breaking the HEAD method, which requests the HTTP headers but not body. I can't think of any reason why you could possibly want the IV sans ciphertext.
answered Sep 1 at 0:05
forest
1,979427
From a cryptographic standpoint, it doesn't matter how you transmit the IV. You can send it as a header, in the message body, as the path in the request method, or even the URG pointers in a few TCP packets. From the perspective of the encryption process itself, it doesn't care how it got the IV, no matter how silly the transmission method used, as long as it got it in the end.
From a web development standpoint, it's bad practice to include data that is applicable to the payload in the headers. Sending an IV in a custom HTTP header slightly increases overhead when compared to simply prepending it to the ciphertext and sending it all. You don't even need an elaborate serialization format. Just prepend the fixed-size IV and call it a day. This has the additional benefit of not breaking the HEAD method, which requests the HTTP headers but not body. I can't think of any reason why you could possibly want the IV sans ciphertext.
answered Sep 1 at 0:05
forest
1,979427
edited Sep 10 at 2:21
answered Sep 1 at 0:05
forest
1,979427
answered Sep 1 at 0:05
forest
1,979427
answered Sep 1 at 0:05
forest
1,979427
1,979427
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
add a comment |Â
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
2
2
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
+1 for added complexity of splitting it up; the IV belongs with the ciphertext, so put it with the ciphertext.
– Mike Ounsworth
Sep 1 at 2:54
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61945%2fis-it-ok-to-transmit-an-iv-as-a-custom-http-header%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
