Why are Static Initialization Vectors Used in Secure Communications from the Android SDK?

Document ID : KB000106154
Last Modified Date : 13/07/2018
Show Technical Document Details
Introduction:
An initialization (IV) vector is a means of increasing the security of the cipher typically by adding additional randomness: https://en.wikipedia.org/wiki/Initialization_vector
Question:
Why are IVs used in the Android SDK static?
Environment:
AXA Version 17.3.x
Answer:
For data security AxA uses RSA/AES decryption of data.

During application creation in the AXA Administration UI, AxA creates a RSA private public key pair which is stored in the backend database. The public RSA key is shared with SDK via the generated plist file, which it then uses to encrypt data. As RSA has a limitation that it cannot encrypt large content sizes, for content greater than this limit, the SDK encrypts the data using an AES 256 key and shares this key with the AXA backend using RSA encryption. This AES 256 key is generated for every event that is captured, and this is where static IV is used.

As the AES key it self generated new every time for every event, and secured by RSA Key and unavailable post encryption, a new IV need not be generated/used every time. The IV by itself is not usable without AES key being available. For big events/content size, the backend decrypts the payload using the RSA private key and for small events/content, the backend decrypts the AES private key using RSA private key and uses that to decrypts the content. The RSA decryption is currently handled using java libraries. 

Please reach out to CA Support if you have any questions on this.