I am working on a client-server application in Java which is going to use private-key encryption.
Currently I have a class with a static object of the Cipher class which I initialise like this: myCipher.init(Cipher.DECRYPT_MODE, secretKey, ivParameterSpec);.
Now my question is: I have two-way communication, should I have a separate Cipher object for each way (one for encrypting and one for decrypting) and use the same initialisation vector? Or should I just use the same object and call Cipher.init() to change the modes depending on whether I am encrypting or decrypting?
It makes sense to have separate objects in my head, but I just wanted to be sure. I tried googling but most examples only show encryption one way.
Currently I send the initialisation vector to the server unencrypted, is this correct, or is there a security flaw?
Or am I approaching it completely the wrong way?
Thanks.
Your question is two fold:
You should use one object. This saves memory. But if memory is spendable, go ahead with two. At least that’ll make your code more readable.
IV needs not encrypted. IV is a random value, sync’d by both the sender and receiver. The most important thing about IV is it must not be repeated, or re-used, with the same key!