How to check a file was encrypted (really & correctly)Any good file format alternative to PGP for...

Ancients don't give a full level?

Probably terminated or laid off soon; confront or not?

Can I use my US callsign to transmit while in El Salvador?

What's "halachic" about "Esav hates Ya'akov"?

What is it exactly about flying a Flyboard across the English channel that made Zapata's thighs burn?

Conditional probability of dependent random variables

Is there a command-line tool for converting html files to pdf?

3 beeps on a 486 computer with an American Megatrends bios?

Why does capacitance not depend on the material of the plates?

Piece de Resistance - Introduction & Ace and A's

How to win against ants

Does a humanoid possessed by a ghost register as undead to a paladin's Divine Sense?

What percentage of campground outlets are GFCI or RCD protected?

What does "autolyco-sentimental" mean?

Is it okay to use different fingers every time while playing a song on keyboard? Is it considered a bad practice?

…down the primrose path

How do I show and not tell a backstory?

Why are there yellow dot stickers on the front doors of businesses in Russia?

Are the related objects in an SOQL query shared?

Is a switch from R to Python worth it?

foot-pounds of energy?

On the consistency of different well-polished astronomy software

Can I enter a rental property without giving notice if I'm afraid a tenant may be hurt?

Can a Hogwarts student refuse the Sorting Hat's decision?



How to check a file was encrypted (really & correctly)


Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







3












$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:




  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.


At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$














  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    17 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    17 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    13 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    9 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    8 hours ago




















3












$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:




  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.


At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$














  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    17 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    17 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    13 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    9 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    8 hours ago
















3












3








3


2



$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:




  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.


At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$




I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:




  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.


At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.







cryptanalysis file-encryption






share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 5 hours ago







dan













New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 17 hours ago









dandan

1195 bronze badges




1195 bronze badges




New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

















  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    17 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    17 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    13 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    9 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    8 hours ago




















  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    17 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    17 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    13 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    9 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    8 hours ago


















$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago




$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago




2




2




$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago




$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago












$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago




$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago




1




1




$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago




$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago












$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago






$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago












3 Answers
3






active

oldest

votes


















10












$begingroup$

If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






share|improve this answer









$endgroup$















  • $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    5 hours ago












  • $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    4 hours ago










  • $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    4 hours ago



















9












$begingroup$

Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



Any cipher whose output could be distinguished from random would be considered broken.






share|improve this answer









$endgroup$











  • 1




    $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    13 hours ago



















1












$begingroup$

In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






share|improve this answer









$endgroup$


















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "281"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });






    dan is a new contributor. Be nice, and check out our Code of Conduct.










    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    10












    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$















    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      5 hours ago












    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      4 hours ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      4 hours ago
















    10












    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$















    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      5 hours ago












    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      4 hours ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      4 hours ago














    10












    10








    10





    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$



    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 11 hours ago









    GillesGilles

    9,0063 gold badges29 silver badges59 bronze badges




    9,0063 gold badges29 silver badges59 bronze badges















    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      5 hours ago












    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      4 hours ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      4 hours ago


















    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      5 hours ago












    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      4 hours ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      4 hours ago
















    $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    5 hours ago






    $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    5 hours ago














    $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    4 hours ago




    $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    4 hours ago












    $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    4 hours ago




    $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    4 hours ago













    9












    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$











    • 1




      $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      13 hours ago
















    9












    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$











    • 1




      $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      13 hours ago














    9












    9








    9





    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$



    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 17 hours ago









    forestforest

    7,3891 gold badge24 silver badges53 bronze badges




    7,3891 gold badge24 silver badges53 bronze badges











    • 1




      $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      13 hours ago














    • 1




      $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      13 hours ago








    1




    1




    $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    13 hours ago




    $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    13 hours ago











    1












    $begingroup$

    In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






    share|improve this answer









    $endgroup$




















      1












      $begingroup$

      In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






      share|improve this answer









      $endgroup$


















        1












        1








        1





        $begingroup$

        In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






        share|improve this answer









        $endgroup$



        In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 4 hours ago









        rlee827rlee827

        1357 bronze badges




        1357 bronze badges

























            dan is a new contributor. Be nice, and check out our Code of Conduct.










            draft saved

            draft discarded


















            dan is a new contributor. Be nice, and check out our Code of Conduct.













            dan is a new contributor. Be nice, and check out our Code of Conduct.












            dan is a new contributor. Be nice, and check out our Code of Conduct.
















            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Taj Mahal Inhaltsverzeichnis Aufbau | Geschichte | 350-Jahr-Feier | Heutige Bedeutung | Siehe auch |...

            Baia Sprie Cuprins Etimologie | Istorie | Demografie | Politică și administrație | Arii naturale...

            Nicolae Petrescu-Găină Cuprins Biografie | Opera | In memoriam | Varia | Controverse, incertitudini...