I've started using RNCryptor, which describes itself as "CCCryptor (AES encryption) wrappers for iOS and Mac".
My question isn't specific to iOS, but is more general.
Here's some code I might use to encrypt a string:
func encryptText(text: String, encryptionKey: String) -> NSData? {
let textData = text.dataUsingEncoding(NSUTF8StringEncoding)
if textData == nil {
return nil
}
let encryptedTextData = RNCryptor.encryptData(textData!, password: encryptionKey)
return encryptedTextData
}
I have a few concerns:
All an attacker could do is brute-force the key, which is not a realistic proposition, and one that does not get easier with the knowledge of multiple messages (unless there is some weakness in AES that we are not aware of that would produce "patterns").
You may be wondering if there are other advantages to an attacker if he gains access to many intercepted (or even decrypted) messages. For example the ability to guess a plaintext if it was similar or even identical to an earlier message.
AES includes setting an "initialization vector".
Usually, you set a random IV for every message and send that along with the encrypted message. Your library is doing that as well. The result is that no two messages are encrypted in exactly the same way. Even if you send the same plaintext three times, it will end up in three disparate ciphertexts (indistinguishable from three different messages). Same idea as "salting".
would adding a series of random characters to the end of each string (lets say 20 characters) secure me from that type of attack?
The random IV mechanism makes this unnecessary.
As for it being effective, AES is a block cipher. The output of earlier blocks can affect the output of later blocks, but not the other way around. So a random padding at the end will only change the last block. If anything, you'd want to pad your string at the beginning. But again, the algorithm itself (if used properly) has mechanisms to deal with these concerns (in the form of IV, block chaining and block padding).