Powershell and AES: If the Salt and IV are both fixed or known, is the encryption inherently unsafe or easier to crack?

Question

I have recently been using this script to do some data encryption for a different script that I will later on be passing to other users, and I'm currently using a fixed IV and Salt. The reason I am currently using a fixed Salt and IV is that the data I have encrypted only needs to be encrypted once, but will need to be decrypted every time my script is run. As such, having everything fixed means that only the password needs to be known to other users of my script.

From reading around, it seems that having the Salt known does not make too much difference to the ease at which the data can be maliciously decrypted if it is unique, however I assume that by using a fixed Salt I am currently mooting the point of applying it.

My Password that I am passing into this script is entered at the point of encryption/decryption, and is not stored anywhere. By keeping the Password completely secret, does this strengthen the encryption somewhat?

In addition, does anyone have any advice for a potentially safer implementation?

Many thanks for all help.

Answer 1

Salts and IV's serve the same purpose, preventing the re-use of work by starting at a random starting point. When you are hashing you call it a Salt, when you are encrypting you call it a IV.

Having a fixed Salt and VI is the same affect as having no Salt or IV, the entire point of those two things is they are different every time so if I crack the key on File A I can't reuse the work for File B, I have to start from scratch again.

Normally the Salt and IV are just prepended to the front of the file or are in the file header. When you go to decrypt the file you read in the IV/Salt first then start reading your encrypted data.

What I would do is instead of using a fixed salt and fixed IV I would just let the program generate the Salt and IV.

$r = new-Object System.Security.Cryptography.RijndaelManaged
$r.GenerateIV();

#generate a new instance of our KDF with a random 32 bit salt. 
$deriveBytes = new-Object Security.Cryptography.Rfc2898DeriveBytes($Passphrase, 32)

$r.Key =$deriveBytes.GetBytes(32) #generate a 32 bit key based off of $Passphrase


#store $r.IV.Length, $r.IV, $deriveBytes.Salt at the front of your file ($deriveBytes.Salt we know will be 32 bytes big because we set it)

Further reading:
- Is it safe to have the salt equal to IV?
- Secret vs. Non-secret Initialization Vector
- Why would you need a salt [...] when IV is already randomly generated and stored with the encrypted data?