In my business scenario (basically a cloud file sharing application) I have the following case:
user uploads file(s) to the folder
it's being checked if the folder is PIN protected
1) If it's not PIN protected, encrypt the file using the predefined pass key stored in the application + IV key stored in the database.
2) If it's PIN protected, encrypt the file using the predefined pass key + PIN value + IV key stored in the database
The problem is that AES, having limited pass key length gets invalid key length when the max key size (16, 24, 32 bytes) is exceeded. My main question is how to achieve something like that while maintaining the security.
At the moment folder PIN length isn't limited but it seems that I should limit it to at least the max length of the AES key pass. Slight improvement could be using RijndaelManaged where I have a bit more flexibility regarding the pass key length.
Any suggestion would be appreciated.
Note: I don't think code would add any value to the question but if anyone doesn't agree, let me know and I'd add it.
A key derivation function will create a key with a controlled length, if the derived key is longer than needed just truncate it.
Additionally the encryption IV is not considered secret and usually just prepended to the encrypted data. Many tines the key derivation salt as well as the iteration count is also prepended to the encrypted data. For good security is is best to use well vetted methods.