Let's say, Alice uses AES256-CBC to encrypt some data. The key for encryption is derived using PBKDF2, where password is some passphrase Alice and Bob agreed on (using DH) and salt is random generated (using /dev/urandom for now)*. The IV for the CBC is generated the same way as the salt.
Now Bob receives the cipher and would like to authenticate it, so he can tell for sure, that the message really came from Alice (or anyone else who knows the passphrase). Should Alice encrypt the data first, use the derived key as password, the cipher as message and append/prepend the result to the cipher?
Or she ought to use the derived key as password, the plain text as message, prepend the HMAC to the plain text and encrypt?
(There is a lot of related questions and answers, I am just confused what to use when and what are the pros and cons)
Another problem I'm struggling with is, how will Bob get the IV and the salt which were randomly generated at encryption time?
Last problem I'm trying to solve is, when Bob will decrypt the cipher, how can he know the password he entered is correct, without decrypting all of the data?
*Is
/dev/urandom secure enough to generate random salt and IV?
Just to clarify, I don't intend to use this implementation in real world situation, this is purely for educational purpose
