How do I detect a failed AES-256 decryption programmatically?Is compressing data prior to encryption...
Thread-safe, Convenient and Performant Random Number Generator
Most practical knots for hitching a line to an object while keeping the bitter end as tight as possible, without sag?
How to avoid using System.String with Rfc2898DeriveBytes in C#
Can my boyfriend, who lives in the UK and has a Polish passport, visit me in the USA?
Potential new partner angry about first collaboration - how to answer email to close up this encounter in a graceful manner
Does Git delete empty folders?
What is the difference between a premise and an assumption in logic?
How to setup a teletype to a unix shell
Overwrite file only if data
How to create a summation symbol with a vertical bar?
Sleeping solo in a double sleeping bag
Can you feel passing through the sound barrier in an F-16?
Why are delta bots so finicky?
Was Switzerland really impossible to invade during WW2?
Does adding the 'precise' tag to daggers break anything?
Church Booleans
How to persuade recruiters to send me the Job Description?
Is a butterfly one or two animals?
How to organize ideas to start writing a novel?
Is there a known non-euclidean geometry where two concentric circles of different radii can intersect? (as in the novel "The Universe Between")
How would one country purchase another?
How can I support the recycling, but not the new production of aluminum?
Running script line by line automatically yet being asked before each line from second line onwards
How to dismiss intrusive questions from a colleague with whom I don't work?
How do I detect a failed AES-256 decryption programmatically?
Is compressing data prior to encryption necessary to reduce plaintext redundancy?Why should I use Authenticated Encryption instead of just encryption?AES key length greater than 256 bits - is it dangerous to do an implementation outside of the standard?AES CBC with fixed or predictable IV, what are the risks?Validating successful decryption in AESWhat is required to decrypt an encrypted file?AES-256 mode with per-block-key being a SHA-256 of SHA-256 of secret key, random public salt and block number. What's amiss?PHP AES 256 CBC faster than AES 128 CBC? Or am I doing something wrong?Is it possible to recover an AES encrypted file that was decrypted with incorrect key/password?Is it safe to use unauthenticated AES CBC when encrypting random bytes?Encryption / Decryption method secureAES reverse Rijndael key schedule with decryption round keys
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
$begingroup$
I have implemented a simple encryption/decryption program based on AES-256 in CBC mode1.
Actually, it is more precise to describe it as a compression+encryption / decryption+decompression program.
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
I would like modify the decryption phase of the scheme so that it detects on its own that the wrong key has been used, before it proceeds to the decompression phase. I am looking for a scheme to support this functionality that does not weaken the overall cryptographic strength of the framework.
A naive approach would be to generate the encrypted content as2
AES256_CBC(key, iv, SENTINEL_STRING + plaintext)
where SENTINEL_STRING is a string that the decryption phase can know in advance. While I am being naive about it, I could make the SENTINEL_STRING be equal to the key, for example.
I imagine there are pretty standard ways to solve this problem. In fact, for all I know, the design of AES-256-CBC already has built into it a way to check that decryption succeeded.
I hope someone can enlighten me on these matters.
Also, if this problem is common enough to have a generally accepted name (suitable as search engine fodder) please let me know.
1 For what it's worth, my current implementation of this uses Python's pycrypto module, but an earlier implementation used Perl's Crypto::CBC package. Both versions can reciprocally decrypt+decompress files compressed+encrypted by the other. I bother mentioning all this to stress the fact that this question is primarily about AES-256-CBC in general, and not about any specific implementation of it.
2 I hope my ad-hoc notation here is not too stupid. I mean it as a shorthand for "encrypt the string SENTINEL_STRING + plaintext with AES-256 in CBC mode, using the key key and initialization vector iv".
aes
edited 11 hours ago
Peter Mortensen
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
$endgroup$
add a comment |
$begingroup$
I have implemented a simple encryption/decryption program based on AES-256 in CBC mode1.
Actually, it is more precise to describe it as a compression+encryption / decryption+decompression program.
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
I would like modify the decryption phase of the scheme so that it detects on its own that the wrong key has been used, before it proceeds to the decompression phase. I am looking for a scheme to support this functionality that does not weaken the overall cryptographic strength of the framework.
A naive approach would be to generate the encrypted content as2
AES256_CBC(key, iv, SENTINEL_STRING + plaintext)
where SENTINEL_STRING is a string that the decryption phase can know in advance. While I am being naive about it, I could make the SENTINEL_STRING be equal to the key, for example.
I imagine there are pretty standard ways to solve this problem. In fact, for all I know, the design of AES-256-CBC already has built into it a way to check that decryption succeeded.
I hope someone can enlighten me on these matters.
Also, if this problem is common enough to have a generally accepted name (suitable as search engine fodder) please let me know.
1 For what it's worth, my current implementation of this uses Python's pycrypto module, but an earlier implementation used Perl's Crypto::CBC package. Both versions can reciprocally decrypt+decompress files compressed+encrypted by the other. I bother mentioning all this to stress the fact that this question is primarily about AES-256-CBC in general, and not about any specific implementation of it.
2 I hope my ad-hoc notation here is not too stupid. I mean it as a shorthand for "encrypt the string SENTINEL_STRING + plaintext with AES-256 in CBC mode, using the key key and initialization vector iv".
aes
edited 11 hours ago
Peter Mortensen
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
$endgroup$
2
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago
add a comment |
$begingroup$
I have implemented a simple encryption/decryption program based on AES-256 in CBC mode1.
Actually, it is more precise to describe it as a compression+encryption / decryption+decompression program.
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
I would like modify the decryption phase of the scheme so that it detects on its own that the wrong key has been used, before it proceeds to the decompression phase. I am looking for a scheme to support this functionality that does not weaken the overall cryptographic strength of the framework.
A naive approach would be to generate the encrypted content as2
AES256_CBC(key, iv, SENTINEL_STRING + plaintext)
where SENTINEL_STRING is a string that the decryption phase can know in advance. While I am being naive about it, I could make the SENTINEL_STRING be equal to the key, for example.
I imagine there are pretty standard ways to solve this problem. In fact, for all I know, the design of AES-256-CBC already has built into it a way to check that decryption succeeded.
I hope someone can enlighten me on these matters.
Also, if this problem is common enough to have a generally accepted name (suitable as search engine fodder) please let me know.
1 For what it's worth, my current implementation of this uses Python's pycrypto module, but an earlier implementation used Perl's Crypto::CBC package. Both versions can reciprocally decrypt+decompress files compressed+encrypted by the other. I bother mentioning all this to stress the fact that this question is primarily about AES-256-CBC in general, and not about any specific implementation of it.
2 I hope my ad-hoc notation here is not too stupid. I mean it as a shorthand for "encrypt the string SENTINEL_STRING + plaintext with AES-256 in CBC mode, using the key key and initialization vector iv".
aes
edited 11 hours ago
Peter Mortensen
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
$endgroup$
I have implemented a simple encryption/decryption program based on AES-256 in CBC mode1.
Actually, it is more precise to describe it as a compression+encryption / decryption+decompression program.
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
I would like modify the decryption phase of the scheme so that it detects on its own that the wrong key has been used, before it proceeds to the decompression phase. I am looking for a scheme to support this functionality that does not weaken the overall cryptographic strength of the framework.
A naive approach would be to generate the encrypted content as2
AES256_CBC(key, iv, SENTINEL_STRING + plaintext)
where SENTINEL_STRING is a string that the decryption phase can know in advance. While I am being naive about it, I could make the SENTINEL_STRING be equal to the key, for example.
I imagine there are pretty standard ways to solve this problem. In fact, for all I know, the design of AES-256-CBC already has built into it a way to check that decryption succeeded.
I hope someone can enlighten me on these matters.
Also, if this problem is common enough to have a generally accepted name (suitable as search engine fodder) please let me know.
1 For what it's worth, my current implementation of this uses Python's pycrypto module, but an earlier implementation used Perl's Crypto::CBC package. Both versions can reciprocally decrypt+decompress files compressed+encrypted by the other. I bother mentioning all this to stress the fact that this question is primarily about AES-256-CBC in general, and not about any specific implementation of it.
2 I hope my ad-hoc notation here is not too stupid. I mean it as a shorthand for "encrypt the string SENTINEL_STRING + plaintext with AES-256 in CBC mode, using the key key and initialization vector iv".
aes
aes
edited 11 hours ago
Peter Mortensen
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
edited 11 hours ago
Peter Mortensen
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
edited 11 hours ago
Peter Mortensen
1232 bronze badges
edited 11 hours ago
Peter Mortensen
1232 bronze badges
edited 11 hours ago
Peter Mortensen
1232 bronze badges
1232 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
asked Aug 18 at 0:11
kjokjo
2092 silver badges7 bronze badges
2092 silver badges7 bronze badges
2
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago
add a comment |
2
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago
2
2
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
You should use an authenticated encryption mode. There are several reasons for that, but one (relatively minor) one is that it automatically gives you the ability to detect incorrect keys, since the authentication will fail.
If you insist on using a traditional non-authenticated encryption mode, or if you'd like to have some way of distinguishing "incorrect key" from "corrupted ciphertext", you can include a key check value together with the ciphertext, and verify it before attempting decryption. There are several possible ways to implement one.
A traditional method is to encrypt an all-zero block using the raw block cipher (i.e. "ECB mode") and use the resulting ciphertext as the key check value, but note that this makes it possible for an attacker to tell whether two messages have been encrypted using the same key by comparing the key check values. Alternatively, assuming that you're using an authenticated encryption mode anyway, you could just generate the key check value by encrypting an empty message using the same mode. Assuming that you're using a unique nonce / IV for each encryption, as you should be, this should eliminate the information leak by making every key check value also unique.
(BTW, note that compressing data before encryption can leak (extra) information about the plaintext. Basically, this happens because all general-purpose encryption schemes necessarily leak information about the length of the plaintext, and compression makes the plaintext length depend on its content. Padding reduces this leak slightly, but does not eliminate it. This has been used in actual attacks.)
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
$endgroup$
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
|
show 8 more comments
$begingroup$
Ilmari Karonen already mentioned using an authenticated encryption mode, which would solve the concerns, but should you not go that way, please note the flaw in your premise:
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
Pretty much any wrong key or change in the ciphertext will decrypt to something which is not valid for the decompression algorithm you used, and that it will detect (and hopefully your program will detect that error). But that isn't guaranteed.
A trivial solution would be to include an HMAC/hash of the plaintext/compressed content, which would allow you to validate that you decrypted the right content.
This is even more important taking into account that your use case is long-term storage. I wouldn't be surprised if it was possible to truncate one such file at the right boundary that it was unnoticed not only by the AES-CBC but also by the underlying compression function. Just adding a key-check value won't detect that issue.
Since you are aiming for storage, it probably won't matter for you, but note that if this was used in eg. an online protocol, detecting decompression errors would provide an oracle to an attacker that sent your decrypter multiple corrupted blocks, based on the difference of time it needed for processing it.
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
$endgroup$
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
add a comment |
$begingroup$
There is no way to detect the wrong key before decrypting: I can create a message M, a totally valid and legitimate key K, and then I encrypt the message with a different key K': Any information that I give you about the key K will be totally legitimate and fine, it will just not be about the key I used to encrypt the message.
You can try to include additional information, but whatever you ask for, I can supply you with information that would be correct with the key K, and then use the key K'.
I can even start encrypting using K, encrypt 90% of the message that way, and use K' for the remaining 10%. So there is no way to detect an incorrect key other than decrypting the complete message, and checking that the decrypted message is valid.
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
$endgroup$
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72658%2fhow-do-i-detect-a-failed-aes-256-decryption-programmatically%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
You should use an authenticated encryption mode. There are several reasons for that, but one (relatively minor) one is that it automatically gives you the ability to detect incorrect keys, since the authentication will fail.
If you insist on using a traditional non-authenticated encryption mode, or if you'd like to have some way of distinguishing "incorrect key" from "corrupted ciphertext", you can include a key check value together with the ciphertext, and verify it before attempting decryption. There are several possible ways to implement one.
A traditional method is to encrypt an all-zero block using the raw block cipher (i.e. "ECB mode") and use the resulting ciphertext as the key check value, but note that this makes it possible for an attacker to tell whether two messages have been encrypted using the same key by comparing the key check values. Alternatively, assuming that you're using an authenticated encryption mode anyway, you could just generate the key check value by encrypting an empty message using the same mode. Assuming that you're using a unique nonce / IV for each encryption, as you should be, this should eliminate the information leak by making every key check value also unique.
(BTW, note that compressing data before encryption can leak (extra) information about the plaintext. Basically, this happens because all general-purpose encryption schemes necessarily leak information about the length of the plaintext, and compression makes the plaintext length depend on its content. Padding reduces this leak slightly, but does not eliminate it. This has been used in actual attacks.)
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
$endgroup$
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
|
show 8 more comments
$begingroup$
You should use an authenticated encryption mode. There are several reasons for that, but one (relatively minor) one is that it automatically gives you the ability to detect incorrect keys, since the authentication will fail.
If you insist on using a traditional non-authenticated encryption mode, or if you'd like to have some way of distinguishing "incorrect key" from "corrupted ciphertext", you can include a key check value together with the ciphertext, and verify it before attempting decryption. There are several possible ways to implement one.
A traditional method is to encrypt an all-zero block using the raw block cipher (i.e. "ECB mode") and use the resulting ciphertext as the key check value, but note that this makes it possible for an attacker to tell whether two messages have been encrypted using the same key by comparing the key check values. Alternatively, assuming that you're using an authenticated encryption mode anyway, you could just generate the key check value by encrypting an empty message using the same mode. Assuming that you're using a unique nonce / IV for each encryption, as you should be, this should eliminate the information leak by making every key check value also unique.
(BTW, note that compressing data before encryption can leak (extra) information about the plaintext. Basically, this happens because all general-purpose encryption schemes necessarily leak information about the length of the plaintext, and compression makes the plaintext length depend on its content. Padding reduces this leak slightly, but does not eliminate it. This has been used in actual attacks.)
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
$endgroup$
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
|
show 8 more comments
$begingroup$
You should use an authenticated encryption mode. There are several reasons for that, but one (relatively minor) one is that it automatically gives you the ability to detect incorrect keys, since the authentication will fail.
If you insist on using a traditional non-authenticated encryption mode, or if you'd like to have some way of distinguishing "incorrect key" from "corrupted ciphertext", you can include a key check value together with the ciphertext, and verify it before attempting decryption. There are several possible ways to implement one.
A traditional method is to encrypt an all-zero block using the raw block cipher (i.e. "ECB mode") and use the resulting ciphertext as the key check value, but note that this makes it possible for an attacker to tell whether two messages have been encrypted using the same key by comparing the key check values. Alternatively, assuming that you're using an authenticated encryption mode anyway, you could just generate the key check value by encrypting an empty message using the same mode. Assuming that you're using a unique nonce / IV for each encryption, as you should be, this should eliminate the information leak by making every key check value also unique.
(BTW, note that compressing data before encryption can leak (extra) information about the plaintext. Basically, this happens because all general-purpose encryption schemes necessarily leak information about the length of the plaintext, and compression makes the plaintext length depend on its content. Padding reduces this leak slightly, but does not eliminate it. This has been used in actual attacks.)
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
$endgroup$
You should use an authenticated encryption mode. There are several reasons for that, but one (relatively minor) one is that it automatically gives you the ability to detect incorrect keys, since the authentication will fail.
If you insist on using a traditional non-authenticated encryption mode, or if you'd like to have some way of distinguishing "incorrect key" from "corrupted ciphertext", you can include a key check value together with the ciphertext, and verify it before attempting decryption. There are several possible ways to implement one.
A traditional method is to encrypt an all-zero block using the raw block cipher (i.e. "ECB mode") and use the resulting ciphertext as the key check value, but note that this makes it possible for an attacker to tell whether two messages have been encrypted using the same key by comparing the key check values. Alternatively, assuming that you're using an authenticated encryption mode anyway, you could just generate the key check value by encrypting an empty message using the same mode. Assuming that you're using a unique nonce / IV for each encryption, as you should be, this should eliminate the information leak by making every key check value also unique.
(BTW, note that compressing data before encryption can leak (extra) information about the plaintext. Basically, this happens because all general-purpose encryption schemes necessarily leak information about the length of the plaintext, and compression makes the plaintext length depend on its content. Padding reduces this leak slightly, but does not eliminate it. This has been used in actual attacks.)
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
edited Aug 18 at 0:58
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
answered Aug 18 at 0:52
Ilmari KaronenIlmari Karonen
38.3k3 gold badges81 silver badges150 bronze badges
38.3k3 gold badges81 silver badges150 bronze badges
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
|
show 8 more comments
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
1
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
@kjo: That's one situation where authenticated encryption might not be necessary. That said, I would recommend using it anyway, since it costs you basically nothing. As for using the encrypted IV/nonce as the key check value, I wouldn't recommend that without careful analysis, since for some encryption modes (including, notably, CBC) revealing the encrypted nonce leaks the first block of the plaintext(!). That said, e.g. encrypting a (possibly truncated) hash of the nonce should be safe, as should hashing the block cipher output and using that as the key check value.
$endgroup$
– Ilmari Karonen
2 days ago
1
1
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
(Actually, if you have a cryptographic hash function available, as you probably do, simply concatenating the key with the nonce and hashing the result should make a fine key check value.)
$endgroup$
– Ilmari Karonen
2 days ago
2
2
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
@kjo: It probably isn't. The situations where I know of it having been exploited are ones where either secret data is combined with data an attacker can control before being compressed and encrypted (as in the CRIME/BREACH attacks on HTTPS) or where the data is split into small segments in a way that allows the length of encrypted segments to leak information (as in the attacks on encrypted live voice chat). Your scheme doesn't look like either of those, but of course that doesn't prove that the leak doesn't matter.
$endgroup$
– Ilmari Karonen
2 days ago
1
1
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
For example, assuming that you're storing the uncompressed length of the plaintext as metadata, that means that anyone looking at the compressed and encrypted data can make a pretty good guess as to whether it contains 200 MB of source code (plain text, compresses well) or 200 MB of MPEG video (already compressed, thus essentially incompressible). Could that ever be an issue?
$endgroup$
– Ilmari Karonen
2 days ago
2
2
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
$begingroup$
You could use the master secret to calculate two secrets using a KDF with a specific info string (and possibly even an included salt), and then include the output of one secret. That's, in my opinion, better than the original key check value, which is just dangerous (e.g. when combined with CTR mode and a counter of zero). Actually, the original KDF only has the advantage that you don't need to perform any other operations than encryption with the key (which means it also works for e.g. 3DES where the parity bits may differ).
$endgroup$
– Maarten Bodewes♦
2 days ago
|
show 8 more comments
$begingroup$
Ilmari Karonen already mentioned using an authenticated encryption mode, which would solve the concerns, but should you not go that way, please note the flaw in your premise:
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
Pretty much any wrong key or change in the ciphertext will decrypt to something which is not valid for the decompression algorithm you used, and that it will detect (and hopefully your program will detect that error). But that isn't guaranteed.
A trivial solution would be to include an HMAC/hash of the plaintext/compressed content, which would allow you to validate that you decrypted the right content.
This is even more important taking into account that your use case is long-term storage. I wouldn't be surprised if it was possible to truncate one such file at the right boundary that it was unnoticed not only by the AES-CBC but also by the underlying compression function. Just adding a key-check value won't detect that issue.
Since you are aiming for storage, it probably won't matter for you, but note that if this was used in eg. an online protocol, detecting decompression errors would provide an oracle to an attacker that sent your decrypter multiple corrupted blocks, based on the difference of time it needed for processing it.
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
$endgroup$
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
add a comment |
$begingroup$
Ilmari Karonen already mentioned using an authenticated encryption mode, which would solve the concerns, but should you not go that way, please note the flaw in your premise:
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
Pretty much any wrong key or change in the ciphertext will decrypt to something which is not valid for the decompression algorithm you used, and that it will detect (and hopefully your program will detect that error). But that isn't guaranteed.
A trivial solution would be to include an HMAC/hash of the plaintext/compressed content, which would allow you to validate that you decrypted the right content.
This is even more important taking into account that your use case is long-term storage. I wouldn't be surprised if it was possible to truncate one such file at the right boundary that it was unnoticed not only by the AES-CBC but also by the underlying compression function. Just adding a key-check value won't detect that issue.
Since you are aiming for storage, it probably won't matter for you, but note that if this was used in eg. an online protocol, detecting decompression errors would provide an oracle to an attacker that sent your decrypter multiple corrupted blocks, based on the difference of time it needed for processing it.
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
$endgroup$
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
add a comment |
$begingroup$
Ilmari Karonen already mentioned using an authenticated encryption mode, which would solve the concerns, but should you not go that way, please note the flaw in your premise:
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
Pretty much any wrong key or change in the ciphertext will decrypt to something which is not valid for the decompression algorithm you used, and that it will detect (and hopefully your program will detect that error). But that isn't guaranteed.
A trivial solution would be to include an HMAC/hash of the plaintext/compressed content, which would allow you to validate that you decrypted the right content.
This is even more important taking into account that your use case is long-term storage. I wouldn't be surprised if it was possible to truncate one such file at the right boundary that it was unnoticed not only by the AES-CBC but also by the underlying compression function. Just adding a key-check value won't detect that issue.
Since you are aiming for storage, it probably won't matter for you, but note that if this was used in eg. an online protocol, detecting decompression errors would provide an oracle to an attacker that sent your decrypter multiple corrupted blocks, based on the difference of time it needed for processing it.
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
$endgroup$
Ilmari Karonen already mentioned using an authenticated encryption mode, which would solve the concerns, but should you not go that way, please note the flaw in your premise:
If one provides the wrong key to the decryption+decompression function, the decompression stage will explicitly fail, as expected, since the decrypted content (being based on the wrong key) will be just noise.
Pretty much any wrong key or change in the ciphertext will decrypt to something which is not valid for the decompression algorithm you used, and that it will detect (and hopefully your program will detect that error). But that isn't guaranteed.
A trivial solution would be to include an HMAC/hash of the plaintext/compressed content, which would allow you to validate that you decrypted the right content.
This is even more important taking into account that your use case is long-term storage. I wouldn't be surprised if it was possible to truncate one such file at the right boundary that it was unnoticed not only by the AES-CBC but also by the underlying compression function. Just adding a key-check value won't detect that issue.
Since you are aiming for storage, it probably won't matter for you, but note that if this was used in eg. an online protocol, detecting decompression errors would provide an oracle to an attacker that sent your decrypter multiple corrupted blocks, based on the difference of time it needed for processing it.
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
answered 2 days ago
ÁngelÁngel
2762 silver badges4 bronze badges
2762 silver badges4 bronze badges
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
add a comment |
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
1
1
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
$begingroup$
I guess that depending on the modes of failure that including a MAC and a key check value (or separate KDF value as KCV, see my comment below Ilmari's answer) would be a good idea. As indicated, a KCV is to detect if the key is correct or not, the MAC if the integrity of the data is preserved (although, of course, the KCV can also be altered in some situations).
$endgroup$
– Maarten Bodewes♦
2 days ago
1
1
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
@MaartenBodewes I am presenting why the OP should care about an integrity check. kjo may wish to add that plus a KCV. Actually, I am not sure what exactly drives his need of such check, which would influence what to check and where. Personally, I would probably add a 1.byte of the password hash, similarly to the zip format, thus we are only giving out a tiny bit of information on the password itself, requiring bruteforcing attempts to decrypt the whole file to test their guesses.
$endgroup$
– Ángel
yesterday
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
$begingroup$
OK, although I think the single byte is useful for transmitting the least amount of data. There is no need to decrypt a whole file to guess a password, even on most AEAD schemes; just decrypting a few blocks without verifying the authentication tag is enough.
$endgroup$
– Maarten Bodewes♦
14 hours ago
add a comment |
$begingroup$
There is no way to detect the wrong key before decrypting: I can create a message M, a totally valid and legitimate key K, and then I encrypt the message with a different key K': Any information that I give you about the key K will be totally legitimate and fine, it will just not be about the key I used to encrypt the message.
You can try to include additional information, but whatever you ask for, I can supply you with information that would be correct with the key K, and then use the key K'.
I can even start encrypting using K, encrypt 90% of the message that way, and use K' for the remaining 10%. So there is no way to detect an incorrect key other than decrypting the complete message, and checking that the decrypted message is valid.
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
$endgroup$
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
add a comment |
$begingroup$
There is no way to detect the wrong key before decrypting: I can create a message M, a totally valid and legitimate key K, and then I encrypt the message with a different key K': Any information that I give you about the key K will be totally legitimate and fine, it will just not be about the key I used to encrypt the message.
You can try to include additional information, but whatever you ask for, I can supply you with information that would be correct with the key K, and then use the key K'.
I can even start encrypting using K, encrypt 90% of the message that way, and use K' for the remaining 10%. So there is no way to detect an incorrect key other than decrypting the complete message, and checking that the decrypted message is valid.
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
$endgroup$
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
add a comment |
$begingroup$
There is no way to detect the wrong key before decrypting: I can create a message M, a totally valid and legitimate key K, and then I encrypt the message with a different key K': Any information that I give you about the key K will be totally legitimate and fine, it will just not be about the key I used to encrypt the message.
You can try to include additional information, but whatever you ask for, I can supply you with information that would be correct with the key K, and then use the key K'.
I can even start encrypting using K, encrypt 90% of the message that way, and use K' for the remaining 10%. So there is no way to detect an incorrect key other than decrypting the complete message, and checking that the decrypted message is valid.
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
$endgroup$
There is no way to detect the wrong key before decrypting: I can create a message M, a totally valid and legitimate key K, and then I encrypt the message with a different key K': Any information that I give you about the key K will be totally legitimate and fine, it will just not be about the key I used to encrypt the message.
You can try to include additional information, but whatever you ask for, I can supply you with information that would be correct with the key K, and then use the key K'.
I can even start encrypting using K, encrypt 90% of the message that way, and use K' for the remaining 10%. So there is no way to detect an incorrect key other than decrypting the complete message, and checking that the decrypted message is valid.
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
answered 2 days ago
gnasher729gnasher729
8783 silver badges5 bronze badges
8783 silver badges5 bronze badges
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
add a comment |
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
2
2
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
$begingroup$
That's true, but it is possible to safely distinguish between "this message might be valid, but clearly not encrypted with this key" and "at least a part of this message has been encrypted with this key, but the rest is invalid" without having to process the full message in the first case. This distinction can be useful if you expect the receiver to sometimes attempt decryption with the wrong key (e.g. because they mistyped the passphrase the key was derived from) even in the absence of any malicious attacks, and if verifying the full message just to catch a typo may be undesirably slow.
$endgroup$
– Ilmari Karonen
2 days ago
1
1
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
$begingroup$
True, and it may be very useful if only part of the message is received. I had to show why signature verification failed on message that was cut in two, but I had to process the whole file for that (I told them that a separate FTP process could not indicate that the file upload was finished, sigh).
$endgroup$
– Maarten Bodewes♦
2 days ago
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72658%2fhow-do-i-detect-a-failed-aes-256-decryption-programmatically%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
$begingroup$
CBC mode is vulnerable to padding oracle attacks and it is removed in TLS 1.3. In TLS 1.3, we have only Authenticated Encryption (AE) modes like AES-GCM and ChaCha-Poly1305. It better to switch since AE gives you not only confidentiality but also integrity and authentication.
$endgroup$
– kelalaka
2 days ago
$begingroup$
Your search engine fodder is "authenticated encryption." Also: (a) you should not be using CBC at all; (b) you really ought to read a modern crypto book first, I recommend Aumasson's Serious Cryptography.
$endgroup$
– Luis Casillas
6 hours ago