How to check a file was encrypted (really & correctly)Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers

Why is Heisenberg shown dead in Negro y Azul?

Does a humanoid possessed by a ghost register as undead to a paladin's Divine Sense?

How do I show and not tell a backstory?

Is there a way to say "double + any number" in German?

Can a Sikh enter a buddhist temple with a turban?

What's "halachic" about "Esav hates Ya'akov"?

What is it exactly about flying a Flyboard across the English channel that made Zapata's thighs burn?

Make lens aperture in Tikz

A verb for when some rights are not violated?

What is the reason behind water not falling from a bucket at the top of loop?

Is it uncompelling to continue the story with lower stakes?

Why are there yellow dot stickers on the front doors of businesses in Russia?

Properties: Left of the colon

Vectorised way to calculate mean of left and right neighbours in a vector

Need reasons why a satellite network would not work

Piece de Resistance - Introduction & Ace and A's

Can the Cauchy product of divergent series with itself be convergent?

Why do proponents of guns oppose gun competency tests?

Is there a general term for the items in a directory?

The Game of the Century - why didn't Byrne take the rook after he forked Fischer?

conditional probability of dependent random variables

Is unspent vacation time a good argument in pay negotiations?

What does "autolyco-sentimental" mean?

In MTG, was there ever a five-color deck that worked well?



How to check a file was encrypted (really & correctly)


Any good file format alternative to PGP for encrypting data at rest?How to design a cryptographically secure file hosting serviceHow to encrypt a file for random accessIs there any benefit of changing the AES-CCM encryption key periodically even if the Nonce space is not exhausted yet?Can a file encrypted with one tool be decrypted with different tool?Using what we already know about the data to decrypt it?How to effectively apply combination of Block and Stream Cipher?Derivation of many (Key, IV) pairs from random 128 nonces and one secret 512 master keyHow secure is a system that retrieves encrypted private keys from a public database?Best practices when encrypting a file with three different ciphers






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3












$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:



  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.

At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    13 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    13 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    9 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    5 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    5 hours ago


















3












$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:



  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.

At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$













  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    13 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    13 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    9 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    5 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    5 hours ago














3












3








3


2



$begingroup$


I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:



  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.

At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






$endgroup$




I would like to audit how an implementation of an encryption algorithm is really performed with the following given data of the problem:



  • the encryption mechanism is reversible,

  • the algorithm is pretended to be AES256, but might be implemented correctly or not, or worse something else,

  • the key is not known,

  • I don't have access to the source code.

At least I would like to be able to detect that the file is not encrypted.
Next I would like to be able to detect that the RNG is running in a tiny set or not really random.



In a first approach I thought to make an analysis of the randomness quality of the encrypted file: average value + standard deviation (with a tool like ent).
But I immediatly thought of artificial files with a perfect average value
and standard deviation which are perfectly regular and not the result of any encryption.
Then my first approach is wrong.



The environment in which I will make this audit is a Unix one.







cryptanalysis file-encryption






share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question









New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question








edited 1 hour ago







dan













New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 14 hours ago









dandan

1165 bronze badges




1165 bronze badges




New contributor



dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




dan is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
















  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    13 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    13 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    9 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    5 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    5 hours ago

















  • $begingroup$
    Whether or not you know the plaintext is irrelevant if you don't have the key.
    $endgroup$
    – forest
    13 hours ago






  • 2




    $begingroup$
    If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
    $endgroup$
    – Paul Uszak
    13 hours ago










  • $begingroup$
    I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
    $endgroup$
    – dan
    9 hours ago






  • 1




    $begingroup$
    You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
    $endgroup$
    – kelalaka
    5 hours ago










  • $begingroup$
    Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
    $endgroup$
    – Paul Uszak
    5 hours ago
















$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago




$begingroup$
Whether or not you know the plaintext is irrelevant if you don't have the key.
$endgroup$
– forest
13 hours ago




2




2




$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago




$begingroup$
If you're auditing a real thing, the data must be real. It must therefore have some characteristic stochastic properties that you could look for. Or not have them. Or are you just encrypting one time pads/TRNG output?
$endgroup$
– Paul Uszak
13 hours ago












$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago




$begingroup$
I fixed an error in my problem description: I don’t know the clear text in most cases (caches of a running OS), but I can generate it and then encrypt it (with plain files text).
$endgroup$
– dan
9 hours ago




1




1




$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago




$begingroup$
You can use the execution time of the encryption to compare with some implementations. Also, try to perform cache attack if not properly implemented.
$endgroup$
– kelalaka
5 hours ago












$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago





$begingroup$
Well, what data structure would you generate? Unless it's pretty random, it will probably be distinguishable from encrypted by the fact that it can be compressed fairly easily. It all comes down to what your plain texts are, but probably doable.
$endgroup$
– Paul Uszak
5 hours ago











3 Answers
3






active

oldest

votes


















7












$begingroup$

Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



Any cipher whose output could be distinguished from random would be considered broken.






share|improve this answer









$endgroup$














  • $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    9 hours ago


















6












$begingroup$

If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






share|improve this answer









$endgroup$














  • $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    1 hour ago











  • $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    29 mins ago










  • $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    26 mins ago


















0












$begingroup$

In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






share|improve this answer









$endgroup$

















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "281"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    dan is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    7












    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$














    • $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      9 hours ago















    7












    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$














    • $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      9 hours ago













    7












    7








    7





    $begingroup$

    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.






    share|improve this answer









    $endgroup$



    Unless the file has a plaintext header which indicates that it has been encrypted, there is no way to distinguish ciphertext from uniform random data. You can heuristically guess that a file is encrypted if it has absolutely no structure and appears completely random, but you cannot definitively prove it.



    Any cipher whose output could be distinguished from random would be considered broken.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 13 hours ago









    forestforest

    7,3691 gold badge24 silver badges53 bronze badges




    7,3691 gold badge24 silver badges53 bronze badges














    • $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      9 hours ago
















    • $begingroup$
      I cannot trust a plain text header (as a magic number) as it can be falsified.
      $endgroup$
      – dan
      9 hours ago















    $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    9 hours ago




    $begingroup$
    I cannot trust a plain text header (as a magic number) as it can be falsified.
    $endgroup$
    – dan
    9 hours ago













    6












    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$














    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      1 hour ago











    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      29 mins ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      26 mins ago















    6












    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$














    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      1 hour ago











    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      29 mins ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      26 mins ago













    6












    6








    6





    $begingroup$

    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.






    share|improve this answer









    $endgroup$



    If you can't get access to the key for at least some sample uses, there's no way to be sure. For example, it's impossible to distinguish AES-128 from AES-256 if you don't have access to the key. That's true of any encryption method: without knowing the key, you can't distinguish the ciphertext from random data of the same length.



    A professional auditor would normally get access to some test keys, if they can't normally access those keys through some administration interface.



    You can make a statistical test, but all this will tell you is that the encryption is not completely botched or skipped.



    If your vendor is not completely dishonest and they claim to have used AES, they probably did use AES. A far more common problem than not using AES is using AES wrong. Here too, you can't be sure that they got it right, but you can at least check for some common problems.



    Check how the length of the ciphertext varies depending on the length of the plaintext. The ciphertext should include an initialization vector and an authentication tag, each of which normally adds 16 bytes. If the ciphertext is not 32 bytes larger than the plaintext, something is probably wrong, but there are cases where it can be ok (e.g. for disk encryption where the sector number is used to build unique IVs and no threat requires authentication).



    Pass the same inputs in different conditions and make sure that the resulting ciphertexts are completely different. If you can arrange to encrypt multiple messages with the same key, make sure that identical messages result in completely different ciphertexts. This validates that initialization vectors are generated, if not correctly, then at least non-stupidly.



    If there's a way for you to submit modified ciphertexts, do that and check that they are rejected with a generic “invalid ciphertext” error, rather than a specific error due to invalid content. This validates that authenticated encryption is used. There are threat models where it's ok not to have authentication, but you need to tread very carefully.



    Two things that you definitely cannot know by looking at the output is whether the keys are generated and stored securely. (As opposed to e.g. using a non-cryptographic random generator to generate keys, and writing a copy of the secret keys to an unprotected location.) You can only audit this by looking at the behavior of the system.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered 7 hours ago









    GillesGilles

    8,9663 gold badges29 silver badges58 bronze badges




    8,9663 gold badges29 silver badges58 bronze badges














    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      1 hour ago











    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      29 mins ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      26 mins ago
















    • $begingroup$
      For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
      $endgroup$
      – dan
      1 hour ago











    • $begingroup$
      This can be much improved if you know how to detect electronic code book.
      $endgroup$
      – Joshua
      29 mins ago










    • $begingroup$
      @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
      $endgroup$
      – Joshua
      26 mins ago















    $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    1 hour ago





    $begingroup$
    For the last check, I used a canari method: a huge key (a string of 128 U), and during and after the encryption process on a system without not too much free room, I ran a grep canari /dev/kmem. What is your critical analysis of this method? (Perhaps interesting enough to fork another question?).
    $endgroup$
    – dan
    1 hour ago













    $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    29 mins ago




    $begingroup$
    This can be much improved if you know how to detect electronic code book.
    $endgroup$
    – Joshua
    29 mins ago












    $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    26 mins ago




    $begingroup$
    @dan: I wouldn't try that. You are really looking for leftover garbage when the process exits; memory is lazily cleared by the kernel.
    $endgroup$
    – Joshua
    26 mins ago











    0












    $begingroup$

    In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






    share|improve this answer









    $endgroup$



















      0












      $begingroup$

      In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






      share|improve this answer









      $endgroup$

















        0












        0








        0





        $begingroup$

        In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).






        share|improve this answer









        $endgroup$



        In addition to what the other answers have stated, "proper" encryption using AES-256 (block mode choice aside) can still allow backdoors, such as by maliciously choosing IVs/nonces. Phil Rogaway and others discuss this in more detail in their paper "Security of Symmetric Encryption against Mass Surveillance" (abstract available here).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 38 mins ago









        rlee827rlee827

        1256 bronze badges




        1256 bronze badges























            dan is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            dan is a new contributor. Be nice, and check out our Code of Conduct.












            dan is a new contributor. Be nice, and check out our Code of Conduct.











            dan is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Cryptography Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            Use MathJax to format equations. MathJax reference.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72384%2fhow-to-check-a-file-was-encrypted-really-correctly%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Ласкавець круглолистий Зміст Опис | Поширення | Галерея | Примітки | Посилання | Навігаційне меню58171138361-22960890446Bupleurum rotundifoliumEuro+Med PlantbasePlants of the World Online — Kew ScienceGermplasm Resources Information Network (GRIN)Ласкавецькн. VI : Літери Ком — Левиправивши або дописавши її