What Salt size and position for AES 256?

Question

I haven't written encryption in a while and have forgotten some stuff.

I remember that to have the output be different for the same data using the same key, I want to salt the data on one of the ends of the byte array and then use CBC mode so that the salt can do its thing.

However I can't remember which direction the encryption goes. Should the salt go at position 0 and then the data to be encrypted goes behind it, or does the salt go at the end? I know CBC mode works best when the salt is the first block in the chain.

Also what block size for AES 256? The wiki article says that all AES uses 128-bit block sizes, and that the 256 part only relates to the key length. So should my salt for AES 256 be 16 bytes or 32 bytes?

I'm using AesCryptoServiceProvider, not RijndaelManaged.

Answer 1

First of all, we generally call the random per-encryption value Initialization Vector (IV) not salt in the context of block ciphers.

AES-256 has 128 bit blocks, so the IV should have 128 bits. Typical libraries that implement CBC mode have a special parameter for the IV. You shouldn't mix it into the plaintext yourself.

AesCryptoServiceProvider creates a new random IV by default when you instantiate it. You just need to store it alongside the ciphertext and restore it before decryption. Since you need the IV to start decryption, I prefer putting it at the beginning of the ciphertext. But how and where you store the IV has no effect on security.

---

An additional hint beyond your questions: Add a MAC (e.g. HMAC-SHA-2) on the ciphertext. Be sure to compute it on the ciphertext including the IV (encrypt-then-mac), not on the plaintext (mac-then-encrypt). Else an active attacker can often use a padding oracle to decrypt the message. Don't forget to use a constant time comparison function for MAC verification.