Don't reuse IVs and add future placeholder for key rotation.

[TreyE]

Ticket: https://www.pivotaltracker.com/story/show/186126008

This submission makes some updates to the way encryption of sensitive values is performed in ACA Entities:

1. Generate a unique IV for each encryption round to prevent nonce-reuse attacks
2. Adds a payload header with versioning support so that in the future we can perform key and algorithm rotation
3. Maintains backward compatibility and the ability to decrypt values already encrypted using the 'legacy' algorithm
4. Maintains the existing, established API so upgrades are transparent

While evaluating this ticket, I want to keep a list of testing necessities/gotchas that this update introduces:

1. Gotcha - all systems which use ACA Entities in an environment will need to update to use this version at the same time. While in actuality it would suffice to only need to promote ACA Entities for applications which consume encrypted payloads, the interconnection of our various applications is most likely too complex to make the determination as to which applications, if any, perform only this role.
2. Gotcha - it doesn't seem we have an inventory of all applications which use ACA Entities and what version they currently use, so that we could spot compatibility issues when we promote.