Page 1 of 1

AES-256 Encryption

Posted: Tue Mar 24, 2009 1:13 am
by Benjamin
This question is specific to the AES-256 encryption algorythm.

I have a need to validate that an encryption key used to generate an AES cipher is correct, without having access to the encryption key nor the unencrypted data.

In other words I have an encrypted string. I then enter the encryption key. I need to know if the key is the same key used to generate the encrypted string.

I am considering prepending a string to the front of the data before it is encrypted. I can then test for the existence of that string when I decrypt the data.

My questions is this: If an attacker knows the value of the first n characters of an encrypted string [AES-256], does this in any way weaken the security of the encryption? If so, what attack method would this be called? Do you have any reference sites that discuss this?

I am open to alternative methods of verifing the decryption key, if anyone has any ideas.

Re: AES-256 Encryption

Posted: Tue Mar 24, 2009 5:33 am
by Hannes2k
Hi,
there are various way:
1. Calculate the SHA-256 hash value and write this in front of your message. The computation needed to break your code is the minimum of breaking AES and to find an inverse function for SHA-256 for 256 bit inputs. Because SHA-256 is first pre-image resistance (to find a message with a specific hash value), this attack would be really really hard. At the moment the best known attack against this system of SHA-256 and AES is brute force against AES or the SHA-256 value of the key.

2. Add an known value to your message, e.g. the first block of your message can just contains 00. Then encrypt the whole with AES.
To check if the correct key was entered, you have just to decrypt the first block and compare this with the known value (is the decrypted first block equal to 00...?).
This won't be any problem, because a good cipher is secure against known plaintext attacks (the attack knows the plain- and ciphertext and tries to find the key). All the security have to base on the key.
Even if an attacker can generate tons of plaintext and encrypt these with your key, he would not be able find out your key in an realistic time.

3. Create a random block, encrypt this with AES. This is the first block of your ciphertext. After that, encrypt the encrypted block, this would be the second block of your ciphertext.
After that, encrypt your message in a normal way.
To check the key, decrypt the second block and compare the result with the first block of the ciphertext.

4. There are many other ways to do this thing. It is also possible that you can first check the correctness of key when you have decrypted the whole message. This is used in (Win)Rar and slows down extremly brute force against passwords of rar-files, because you have first to decrypt the whole file before you can check if the guessed password/key was correct. But when you use realy good keys, such a method is not necessary.


Personally I would prefer the second method, because it is simple, secure, fast (maybe this could be a problem with bad keys) and you need to other tools than AES.

Re: AES-256 Encryption

Posted: Tue Mar 24, 2009 7:57 am
by kaisellgren
astions wrote:I need to know if the key is the same key used to generate the encrypted string.
In other words, if your key is correct, then the message decrypted successfully. Maybe read this: http://en.wikipedia.org/wiki/Message_au ... ation_code
astions wrote:If an attacker knows the value of the first n characters of an encrypted string [AES-256], does this in any way weaken the security of the encryption? If so, what attack method would this be called? Do you have any reference sites that discuss this?
Maybe this is what you mean: http://en.wikipedia.org/wiki/Ciphertext-only_attack

Re: AES-256 Encryption

Posted: Tue Mar 24, 2009 3:55 pm
by Mordred
astions wrote: I am considering prepending a string to the front of the data before it is encrypted. I can then test for the existence of that string when I decrypt the data.

My questions is this: If an attacker knows the value of the first n characters of an encrypted string [AES-256], does this in any way weaken the security of the encryption?
A little bird tells me you use the ECB mode. Don't, instead use a mode that supports IVs. CBC should do fine.
It does exactly what you consider - it prepends a known IV to the data and encrypts the whole lot.

To properly know if your data has been tampered, you must use a MAC scheme, as kai pointed out. There are cipher modes that also do authentication, but mcrypt doesn't support them. An easy alternative is HMAC, which you can also prepend to your data, and after decryption cut, recalculate for the rest of the data and compare.

Re: AES-256 Encryption

Posted: Tue Mar 24, 2009 4:09 pm
by Benjamin
I'm using the "Counter" mode of operation.

Re: AES-256 Encryption

Posted: Tue Mar 24, 2009 5:09 pm
by Mordred
Well, then the IV is used exactly in the manner you worried about (and yep, it's safe).