In this example, the IV is known to both the Encrypt and Decrypt methods because they're in the same scope of the using(Aes myAes = AesCreate()) block. But when that is not the case, and it's never ever the same IV twice, how does the decryption routine get the IV?
Related
in the following case, if privateKeyOfA is leaked, what's the security problem? Can someone decrypt the message without privateKeyOfB??
Aes.encrypt(privateKeyOfA, publicKeyOfB, message)
Aes.decrypt(publicKeyOfA, privateKeyOfB)
If not, I guess why we need privateKeyOfA here is for A's signature?
The signature is needed since the receiver must know that the message is coming from someone that he can identify. If he cannot verify the signature, this means that he doesn't know the person.
If the private key of A is compromised by a hacker, he can send messages to everybody with signature impersonating the A.
A key exchange (e.g. using DH or ECDH) would be used by A to convert privateKeyOfA + publicKeyOfB into an AES key. This same AES key can also be generated identically by B using privateKeyOfB + publicKeyOfA. All traffic between A and B would be encrypted using the same AES key.
Assuming that all public keys are known (they are public after all), then anyone who has access to privateKeyOfA can regenerate all AES keys that were generated by A to communicate with anyone. This means all traffic involving this key (messages sent or received by A, with B or anyone else) would be compromised.
But if an ephemeral version was used (like in some modes of TLS), then a new key is generated for each session, so that if 1 key is ever compromised, only this session is compromised. You can read more about forward secrecy.
If the keys are used in the way you describe, then they are not used for signature.
I know with RSA there are a few ways you can encrypt and decrypt data, meaning you can encrypt with either the public or private key (or both), and you can also decrypt with just a private or public key, or both.
With Triple Des, do you need both key and iv to decrypt? Or can you do it somehow with just a key? (public key?)
Being a symmetric algorithm, DES (and 3DES) uses a shared secret key. It doesn't have public keys.
And IV must be known to decryptor if this IV was used during encryption.
RSA is a public-key (or asymmetric) encryption algorithm – which means that there are key pairs of public and private keys, where you encrypt with one of them and decrypt with the other.
DES and Triple-DES are block ciphers. You use them together with a mode of operation to encrypt or decrypt a message – you use the same key for encryption as for decryption. This is known as a symmetric algorithm.
Some modes of operation (all good ones) need an initialization vector, so identical plaintexts don't lead to identical ciphertexts (and sometimes other weaknesses as well). Normally this initialization vector should be send/stored together with the ciphertext, it doesn't have to be secret. Depending on the mode of operation and the usage scenario, the IV should be used only once, be random, or non-predictable.
Also, nowadays you should not use DES (it has a too small key size to be secure). Triple-DES is okay, but much slower (and not more secure) than modern algorithms like AES.
3DES is no different than any other block cipher. If you are using a cipher mode which requires an IV, and you are not including the IV in the message header, you will need it to decrypt the message.
I have a Software that Encrypts message using AES , the random generated AES key is Encrypted by the receiver's public RSA key. now when I send the message to multiple users...
Sender Side :
Message is Encrypted by Random hashed (sha256) AES KEY
The AES key is then Encrypted many time and appended to the encrypted message using each receiver's public key.
the message has [ number for receivers, [list of encrypted keys], Encrypted message]
Receiver Side:
get the number of receivers
loop thru the appended encrypted keys and decrypt using your Private RSA. until you find the one intended for you. such that when he/she decrypt the key they get the AES Key.
3.decrypt the message using AES key.
Knowing that the key is of base 64 string which means it ends with '=', and of the length 256 because of the sha
the Question IS :
How Do i know (if I'm the receiver) that the Decrypted key using my Private RSA is correct Automatically ?
thank you in advance.
Two questions: Is the protocol you describe fixed, or might it be modified in any way? If it is fixed, which padding scheme do you use for RSA? PKCS#1 v1.5, OAEP or none at all?
If the protocol might be modified, you could use a cipher mode with authentication, such as EAX, CCM or GCM. If RSA key transport decryption fails silently, so will the authenticated AES decryption.
Use a variation of RSA-OAEP for the key transport that provides "plain text awareness" as described here: http://www.rsa.com/rsalabs/node.asp?id=2346.
There is no way to find this encrypted message belongs to which receiver.
But you can do is try to decrypt the message if the decrypt is successful then that is the Receiver
I understand that unique IV is important in encrypting to prevent attacks like frequency analysis. The question: For AES CBC encryption, whats the importance of the IV? has a pretty clear answer explaining the importance of the IV.
Would there be any security holes in sending the IV in clear text? Or would it need to be encrypted with the same public/private key that was used to send the symmetric key?
If the IV needs to be sent encrypted, then why not generate a new symmetric key each time and consider the IV as part of the key? Is it that generating a symmetric key is too costly? Or is it to minimize the amount of data transported?
The top answer to Secret vs. Non-secret Initialization Vector states:
A typical key establishment protocol will result in both involve parties computing a piece of data which they, but only they, both know. With Diffie-Hellman (or any Elliptic Curve variant thereof), the said shared piece of data has a fixed length and they have no control over its value (they just both get the same seemingly random sequence of bits).
How do two entities derive the "same seemingly random sequence of bits" without having a shared piece of information? Is the assumption that the shared information was sent encrypted? And, if the shared information is sent encrypted, why not just send the IV encrypted?
Because an application needs to transport the symmetric key securely, it would seem that separating the IV from the key itself is essentially an optimization. Or am I missing something?
There is no security hole by sending the IV in cleartext - this is similar to storing the salt for a hash in plaintext: As long as the attacker has no control over the IV/salt, and as long as it is random, there is no problem.
The main difference between initialization vector and key is that the key has to be kept secret, while the IV doesn't have to be - it can be readable by an attacker without any danger to the security of the encryption scheme in question.
The idea is that you can use the same key for several messages, only using different (random) initialization vectors for each, so relations between the plain texts don't show in the corresponding ciphertexts.
That said, if you are using a key agreement scheme like Diffie-Hellman, which gives you a new shared secret for each session anyways, you can also use it to generate the first initialization vector. This does not really give much security advantages compared to choosing the initialization vector directly and sending it with the message, but saves some bits of bandwith, and some bits of entropy from your random source. And it makes the IV a bit more random in case that one of the partners has a bad randomness source (though DH is not really secure in this case, too).
How do two entities derive the "same seemingly random sequence of bits" without having a shared piece of information?
Is the assumption that the shared information was sent encrypted? And, if the shared information is sent encrypted,
why not just send the IV encrypted?
Diffie-Hellman is based on a group-theoretic problem: Eve knows a (cyclic) group G with generator g and sees the the two values g^a (transmitted from Alice to Bob) and g^b (transmitted from Bob to Alice), where a and b are random large integers chosen by Alice and Bob, and unknown to Eve and even the other partner). The shared secret is then (g^a)^b = g^(a·b) = (g^b)^a. Obviously Bob (who knows b) can calculate the secret as (g^a)^b, while Alice (who knows a) can calculate (g^b)^a. Eve somehow needs to derive this secret to crack the protocol.
In some groups this (known as the computational Diffie-Hellman problem) seems to be a hard problem, and we are using these groups in Cryptography. (In the original DH, we use a subgroup of prime order of the multiplicative group of some large finite prime field, in Elliptic Curve DH we use an elliptic curve group over a finite field. Other groups work, too (but some of them are weak, e.g. in the additive group of a field it is trivial to solve).)
Then both Alice and Bob use a key derivation function to derive the actual keying material (i.e. encryption keys for both directions, MAC keys, and the starting IVs).
I have a small confusion on SSL handshake between browser and server in a typical https web scenario:
What I have understood so far is that in the process of SSL handshake, client (browser in this case) encrypts a randomly selected symmetric key with the public key (certificate received from server). This is sent back to the server, server decrypts it (symmetric key) with the private key. This symmetric key is now used during rest of the session to encrypt/decrypt the messages at both the ends. One of main reasons to do so is given as faster encryption using symmetric keys.
Questions
1) How does browser pick and generates this "randomly" selected symmetric key?
2) Do developers (or/and browser users) have control on this mechanism of generating symmetric keys?
Here is a very good description of how HTTPS connection establishment works. I will provide summary how session key is acquired by both parties (client and server), this process is known as "a key agreement protocol", here how it works:
The client generates the 48 byte “pre-master secret” random value.
The client pads these bytes with random data to make the input equal to 128 bytes.
The client encrypts it with server's public key and sends it to the server.
Then master key is produced by both parties in following manner:
master_secret = PRF(
pre_master_secret,
"master secret",
ClientHello.random + ServerHello.random
)
The PRF is the “Pseudo-Random Function” that’s also defined in the
spec and is quite clever. It combines the secret, the ASCII label, and
the seed data we give it by using the keyed-Hash Message
Authentication Code (HMAC) versions of both MD5 and SHA-1 hash
functions. Half of the input is sent to each hash function. It’s
clever because it is quite resistant to attack, even in the face of
weaknesses in MD5 and SHA-1. This process can feedback on itself and
iterate forever to generate as many bytes as we need.
Following this procedure, we obtain a 48 byte “master secret”.
Quoting from a this great video on network video, minute 1:18:07
Well where do you get randomness on your computer because your
computer is a deterministic device?
Well it collects entropies like your mouse stroke movements, your key
stroke movements and the timing of your hard disk, it tries to collect
all that randomness from the universe into a pull so that it can generate random keys just for one connection [this session]. And if that randomness is broken and its happened many times
in the last 30 years, then none of this works. If the adversary can
figure what your randomness can be then they can guess your keys. So use good randomness.
Note: the keys are created per session.