RNGCryptoServiceProvider.GetBytes(new byte(16)) to generate IV’s to use in AES (256 bits) encryption. For every record I encrypt, I generate a new IV.
I’m also prepending each of these IV’s to the encrypted text (to avoid storing them on a different column in the DB), as I guess is the standard.
However, to do that concatenation, I am using
Convert.ToBase64String() to convert the IV byte array to a string first.
After a few tests I found a couple patterns that concern me:
- every IV, as a string, ends with “==”
- every encrypted text ends with a “=”
One example of an output from my encryption:
Isn’t this painfully obvious?
I look at this and I know exactly where the IV ends and the encrypted string begins. If every record in the DB looks like this, then it’s obvious that the first part is the IV, if you notice the fixed size and are aware of standard implementations.
Also, I’m not sure the ending with a “=” won’t give away more.
Why does this happen? Is it my fault for converting the byte array?
Shouldn’t I be worried about these patterns being a possible security weakness?