Reference Guide
Chapter 6: Changes Between Releases 4.1.2 and 4.1.4 67
RSA BSAFE Crypto-C Micro Edition 3.x to 4.1.4 Migration Guide
Initialization Vector Generation
Initialization Vector (IV) generation for symmetric key encryption is updated for
compliance with the latest FIPS 140-2 implementation guidance (IG A.5).
Crypto-C ME 3.x did not support IV generation. In Crypto-C ME releases 4.0 to 4.1.3,
IV generation was deterministic, using a message digest implementation to compress
the input values used for IV generation. As such, if you had
R_CR_IV_GEN in a
resource list, you also needed a message digest resource, such as
R_CR_DIGEST_SHA256.
In Crypto-C ME 4.1.4, IV generation is updated to operate in one of two ways:
• In regular use, the IV is generated using a pseudo-random number generator
(PRNG). If you use R_CR_IV_GEN in a resource list, resources for random
number generation, such as
R_CR_RANDOM_GENERATOR, are now required.
Note: If IV generation is used with the AES GCM algorithm, the IV
should be at least 96 bits long. This is the default.
• If IVs are generated for the AES GCM algorithm as part of the TLS protocol, the
IV can be generated deterministically using an internal counter value and an
externally supplied salt value. For more information, search for
R_CR_INFO_ID_CIPHER_PARTIAL_IV in the RSA BSAFE Crypto-C Micro
Edition Developers Guide.
In this case, the internal counter value is initialized to include the current system
time, so a time resource, such as
R_TIME_RES_MI, is required in your resource
list.
Example IV Generation Resource List for Crypto-C ME 4.0 through 4.1.3
R_RES_ITEM list[] =
{
…
R_CR_IV_GEN,
R_CR_DIGEST_SHA256,
…
};
Example IV Generation Resource List for Crypto-C ME 4.1.4 - Normal Use
R_RES_ITEM list[] =
{
…
R_CR_IV_GEN,
R_CR_RANDOM_GENERATOR,
…
};
Example IV Generation Resource List for Crypto-C ME 4.1.4 - AES GCM with
TLS
R_RES_ITEM list[] =
{
…
R_CR_IV_GEN,
R_TIME_RES_MI,
…
};