Discussion on: End-to-End Encrypted Chat with the Web Crypto API

[Junxiao Shi]

Last time I designed a system using random IV with AES-GCM and it got rejected in security review. Crypto expert says IV must have three parts:

• Sender identifier. Suppose two parties are using the same key, 1 bit should be used to identify the encrypting party.
• Random bits, 64 bits minus sender identifier.
• Counter bits, 32 bits. Start from zero, incremented for each AES block (not message). Key must be rotated when the counter reaches maximum.