How to check a file was encrypted (really & correctly)Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers
Why is Heisenberg shown dead in Negro y Azul?
Does a humanoid possessed by a ghost register as undead to a paladin's Divine Sense?
How do I show and not tell a backstory?
Is there a way to say "double + any number" in German?
Can a Sikh enter a buddhist temple with a turban?
What's "halachic" about "Esav hates Ya'akov"?
What is it exactly about flying a Flyboard across the English channel that made Zapata's thighs burn?
Make lens aperture in Tikz
A verb for when some rights are not violated?
What is the reason behind water not falling from a bucket at the top of loop?
Is it uncompelling to continue the story with lower stakes?
Why are there yellow dot stickers on the front doors of businesses in Russia?
Properties: Left of the colon
Vectorised way to calculate mean of left and right neighbours in a vector
Need reasons why a satellite network would not work
Piece de Resistance - Introduction & Ace and A's
Can the Cauchy product of divergent series with itself be convergent?
Why do proponents of guns oppose gun competency tests?
Is there a general term for the items in a directory?
The Game of the Century - why didn't Byrne take the rook after he forked Fischer?
conditional probability of dependent random variables
Is unspent vacation time a good argument in pay negotiations?
What does "autolyco-sentimental" mean?
In MTG, was there ever a five-color deck that worked well?
How to check a file was encrypted (really & correctly)
Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago
add a comment |
$begingroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:
- the encryption mechanism is reversible,
- the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,
- the key is not known,
- I don't have access to the source code.
At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.
In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.
The environment in which I will make this audit is a Unix one.
cryptanalysis file-encryption
cryptanalysis file-encryption
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 1 hour ago
dan
asked 14 hours ago
dandan
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 14 hours ago
dandan
1165 bronze badges
asked 14 hours ago
dandan
1165 bronze badges
1165 bronze badges
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago
add a comment |
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
2
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
1
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
$endgroup$
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 38 mins ago
rlee827rlee827
1256 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
dan is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
$endgroup$
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
$endgroup$
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
add a comment |
$begingroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
$endgroup$
Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.
Any cipher whose output could be distinguished from random would be considered broken.
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
answered 13 hours ago
forestforest
7,3691 gold badge24 silver badges53 bronze badges
7,3691 gold badge24 silver badges53 bronze badges
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
add a comment |
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
$begingroup$
I cannot trust a plain text header (as a magic number) as it can be falsified.
$endgroup$
– dan
9 hours ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
$endgroup$
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
add a comment |
$begingroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
$endgroup$
If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.
A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.
You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.
If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.
Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).
Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.
If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.
Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
answered 7 hours ago
GillesGilles
8,9663 gold badges29 silver badges58 bronze badges
8,9663 gold badges29 silver badges58 bronze badges
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
add a comment |
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran agrep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a
grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).$endgroup$
– dan
1 hour ago
$begingroup$
For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a
grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).$endgroup$
– dan
1 hour ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
This can be much improved if you know how to detect electronic code book.
$endgroup$
– Joshua
29 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
$begingroup$
@dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
$endgroup$
– Joshua
26 mins ago
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 38 mins ago
rlee827rlee827
1256 bronze badges
$endgroup$
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 38 mins ago
rlee827rlee827
1256 bronze badges
$endgroup$
add a comment |
$begingroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 38 mins ago
rlee827rlee827
1256 bronze badges
$endgroup$
In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).
answered 38 mins ago
rlee827rlee827
1256 bronze badges
answered 38 mins ago
rlee827rlee827
1256 bronze badges
answered 38 mins ago
rlee827rlee827
1256 bronze badges
answered 38 mins ago
rlee827rlee827
1256 bronze badges
1256 bronze badges
add a comment |
add a comment |
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
dan is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago
2
$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago
$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago
1
$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago
$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago