How to check a file was encrypted (really & correctly)Any good file format alternative to PGP for...
Ancients don't give a full level?
Probably terminated or laid off soon; confront or not?
Can I use my US callsign to transmit while in El Salvador?
What's "halachic" about "Esav hates Ya'akov"?
What is it exactly about flying a Flyboard across the English channel that made Zapata's thighs burn?
Conditional probability of dependent random variables
Is there a command-line tool for converting html files to pdf?
3 beeps on a 486 computer with an American Megatrends bios?
Why does capacitance not depend on the material of the plates?
Piece de Resistance - Introduction & Ace and A's
How to win against ants
Does a humanoid possessed by a ghost register as undead to a paladin's Divine Sense?
What percentage of campground outlets are GFCI or RCD protected?
What does "autolyco-sentimental" mean?
Is it okay to use different fingers every time while playing a song on keyboard? Is it considered a bad practice?
…down the primrose path
How do I show and not tell a backstory?
Why are there yellow dot stickers on the front doors of businesses in Russia?
Are the related objects in an SOQL query shared?
Is a switch from R to Python worth it?
foot-pounds of energy?
On the consistency of different well-polished astronomy software
Can I enter a rental property without giving notice if I'm afraid a tenant may be hurt?
Can a Hogwarts student refuse the Sorting Hat's decision?
How to check a file was encrypted (really & correctly)
Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent
).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
New contributor
$endgroup$
|
show 1 more comment
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent
).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
New contributor
$endgroup$
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago
|
show 1 more comment
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent
).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
New contributor
$endgroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent
).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
cryptanalysis file-encryption
New contributor
New contributor
edited 5 hours ago
dan
New contributor
asked 17 hours ago
dandan
1195 bronze badges
1195 bronze badges
New contributor
New contributor
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago
|
show 1 more comment
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
2
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
1
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago
|
show 1 more comment
3 Answers
3
active
oldest
votes
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
$endgroup$
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "281"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
dan is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
$endgroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 11 hours ago
GillesGilles
9,0063 gold badges29 silver badges59 bronze badges
9,0063 gold badges29 silver badges59 bronze badges
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
add a comment |
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a
grep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).$endgroup$
– dan
5 hours ago
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a
grep canari /dev/kmem
. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).$endgroup$
– dan
5 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
4 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
$endgroup$
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
$endgroup$
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
$endgroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 17 hours ago
forestforest
7,3891 gold badge24 silver badges53 bronze badges
7,3891 gold badge24 silver badges53 bronze badges
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
add a comment |
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
1
1
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
13 hours ago
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
$endgroup$
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
$endgroup$
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
$endgroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 4 hours ago
rlee827rlee827
1357 bronze badges
1357 bronze badges
add a comment |
add a comment |
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
17 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
17 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
13 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
9 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
8 hours ago