...

A key (randomly generated via the key-generation mechanism or user-provided) and the initialization vector are then used in the encryption process.

Supplying an AES 128-bit Key

...

There are two ways of supplying a key for encryption. The first is to generate a random key automatically. mi2b2 will use the build-in Java cryptographic methods to generate a key and write that key to a file. The file then can be shared among different users to open all images encrypted with that key.

The second way is to use a passphrase that is at least 8 characters long. The mi2b2 client will first generate a salt using the user's username that is used to log onto i2b2. The salt is randomly generated using the SHA1PRNG (SHA1 Pseudo Random Number Generator) algorithm. If no such algorithm exists on the particular platform, the platform default will be used instead. The salt is 16 bytes long. Then the following process is repeated:

1. A temporary array is created to contain the concatenation of the passphrase and the salt.
2. A 256-bit long cryptographic hash (using SHA-256) is computed.
3. The hash is saved as the new passphrase.

These steps repeat for 1024 times. The final passphrase is then used as the key. The use of salt and the 1024 repetition is to discourage and slow down dictionary and brute force attacks at guessing the passphrase.

Encrypting a Study

...

When users download a study from the mi2b2 server's cache, the study is copied from the cache, and written to the user's download location. The study resides on the cache as a zip file. As the zip file is being streamed to user's mi2b2 client, the client performs unzipping and encryption as the stream goes on. That is, the client does not wait for the entire zip file to complete downloading before unzipping and encrypting. As long as there is enough data to unzip, the client will unzip, encrypt that chunk of data, and write to disk when appropriate.

...