http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspxWhen you need to write managed code that encrypts or decrypts data according to the AES standard, most people just plug the RijndaelManaged class in and go on their way. After all, Rijndael was the winner of the NIST competition to select the algorithmen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#814101Tue, 10 Oct 2006 23:02:27 GMT91d46819-8472-40ad-a661-2c78acb4018c:814101Peter Ritchie<p>You block size for AES-256 in your table should be 128 not 228. &nbsp;Feel free to delete this if it no longer applies...</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#814331Wed, 11 Oct 2006 00:01:29 GMT91d46819-8472-40ad-a661-2c78acb4018c:814331shawnfa<p>Yep, stupid typoo. &nbsp;Thanks, I've fixed it now!</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#822580Fri, 13 Oct 2006 21:04:40 GMT91d46819-8472-40ad-a661-2c78acb4018c:822580David<p>Hi,</p> <p>I'm curious, why doesn't Rijndael work when the system cryptography FIPS compliance security setting is enabled?</p> <p>Since it's the successor to DES, and since FIPS 197 is the official standard for it, I guess I kind of expected it to work.</p> <p>Has it just not yet been through compliance testing, or is there some reason that it will never be compliant?</p> <p>David</p>http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#823274Sat, 14 Oct 2006 00:11:37 GMT91d46819-8472-40ad-a661-2c78acb4018c:823274shawnfa<p>Hi David,</p> <p>You hit the nail on the head -- the reason that RijndaelManaged doesn't work in FIPS mode is that it has not been certified.</p> <p>That being said, we have heard the feedback to provide an AES algorithm which will work when FIPS is turned on, so we are looking at that for our next release.</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#1453513Fri, 12 Jan 2007 05:36:13 GMT91d46819-8472-40ad-a661-2c78acb4018c:1453513christian<p>Sorry AES crypto ignorant question here.</p> <p>What about cipher mode and initialization vector?</p> <p>As you said above like most people I just got RijnDaelManaged and went, when I got the request to encrypt using AES. Wouldn't you need to agree on a cipher mode and exchange init vectors with the deciphering party, in addition to exchanging keys?</p> <p>Or is CBC what people use when they say AES?</p> <p>And initVector is not used, or rather all 0?</p> <p>Thanks</p>http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#1484427Wed, 17 Jan 2007 21:21:11 GMT91d46819-8472-40ad-a661-2c78acb4018c:1484427.Net Security Blog<p>The January CTP of Orcas is now available , and with it comes a total of 12 new cryptography algorithm</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#1484514Wed, 17 Jan 2007 21:35:47 GMT91d46819-8472-40ad-a661-2c78acb4018c:1484514shawnfa<p>Hi Christian,</p> <p>You're correct that both sides of the encrypted conversation will need to agree on all of the parameters to successfully communicate. &nbsp;AES does not restrict either IV or the cipher mode, however as I mention in the blog post there is a bug in RijndaelManaged which makes CFB and OFB dangerous to use if you need to work with AES. &nbsp;In practice most people just default to CBC.</p> <p>As for the IV, that's not technically protected information, so one practice is to just send it in plaintext before the beginning of the encrypted conversation.</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#1932505Thu, 22 Mar 2007 21:58:43 GMT91d46819-8472-40ad-a661-2c78acb4018c:1932505Matt<p>Is it cryptographically dangerous to simply agree that the IV will be the first (or last) 128 bits of the key? (Is the answer the same for all key sizes?)</p> <p>I'm thinking there are plenty of other things that need to be agreed upon (mode, feedback, padding, block size, etc) so why not the IV too?</p>http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#1989578Thu, 29 Mar 2007 20:26:17 GMT91d46819-8472-40ad-a661-2c78acb4018c:1989578shawnfa<p>Hi Matt,</p> <p>Generally the IV is not considered a secret, so saying that part of the key is the IV would not be a good idea (since the IV could be transmitted in plain-text, which means that the first portion of your key would be known to attackers). &nbsp;Instead, you can just generate a random IV and send it to the other party to use along with the ciphertext.</p> <p>-Shawn</p> http://blogs.msdn.com/shawnfa/archive/2006/10/09/The-Differences-Between-Rijndael-and-AES.aspx#2258488Tue, 24 Apr 2007 12:31:09 GMT91d46819-8472-40ad-a661-2c78acb4018c:2258488P Dawson, Doncaster, United Kingdom<p>The best solution is to encrypt IV with a perminent (persistent) key previously agreed with the other party, so that only you (plural) know how to decode it. cf. The enigma machine during WWII which had day settings (keys)preknown and the message keys which were encrypted using the day keys.</p> <p>In CBC the PT is XORed with the previous CT, thus ensuring that any changes made to the CT stream will propagate in the decrypted PT.</p> <p>However, this otherwise gives no better security than ECB except for the matter that no repetitions of PT (and CT) can appear.</p>