I am writing an Android application which aims to encrypt and decrypt files using AES 256. I am using AES-CBC mode and PBKDF2 for deriving the AES key from a user entered password. Also, I am generating a secure, pseudo random salt for every file’s encryption key. I am storing the IV and salt with the encrypted file, so I can reread them and regenerate key later to be able to decrypt the file.
My question: Does storing the salt along with the encrypted file break security and any meaning of the salt itself? Can’t an attacker knowing the salt and the IV make an offline brute force attack against the encrypted file to find out the encryption key?
The main purpose of the salt is not to be secret, but to make sure an attacker can’t use shortcuts when trying to brute-force the password, like using rainbow tables (i.e. one existing table, or a new one to be used for multiple encrypted files), or brute-forcing multiple collected files (which should have different salts) at once.
As long as your password has enough entropy and the number of iterations in your key derivation function is high enough, storing the salt with the ciphertext is no problem.
The salt alone will not allow anyone to decrypt the file.
Also, if you want to keep the salt secret (it then is usually called “pepper” instead of salt), you’ll have to think of some mechanism to get the right salt to the one legitimately doing the decryption.