Let's say I have a ciphertext encrypted with CTR.
And I know the nonce used to be encrypted as well as the AES key. Is it possible to decrypt the given ciphertext using ECB mode?
sorry if this is already asked, i looked around couldn't find anything
I'm developing an encryption protocol where I have to create an AES key in CTR mode. I decided to keep the key length 128 bits in length, as shorter key size would mean less computing power for mobile devices.
Now, to create this key, I use PBKDF2, which allows me to set its certain parameters like hashing function and iteration number, as it derives a key using an initial information, such as a password, which is what I have. As SHA-1 broken, I wanted to use SHA-256 for the key derivation function's key hashing but I don't understand if it is possible. As I want key to be 128 bits, and SHA-256 is producing 256 bits, does PBKDF2 capable of doing that?
AES-256 is not much slower than AES-128, keysetup is slightly slower, and every block only needs 4 more rounds (11 to 15). So it's about 40% slower at most, and with modern phones having dedicated AES-instruction sets probably even less.
PBKDF2 can output almost any size key, and mostly HMAC-SHA1 or HMAC-SHA256 (not SHA1 or SHA256 directly, but most API's only accept a hash function as parameter and do the HMAC implicitly) is used as the building block "random function". But either one can produce 256, 128 or 10000 byte keys (not that you need that large a key anyway). With HMAC-SHA256 it's equally cheap or expensive to derive a 256 or 128 bit key (the latter is a truncated version of the former, but that's no issue); it's the same work. With HMAC-SHA1 (which is as secure as HMAC-SHA256 for PBKDF2) it's a bit more the work to get a 256 bit key, as 256 is more than the digest size.
So use AES-256 and PBKDF2-(HMAC)-SHA256, should be no performance issue.
First of all the AES-256 is not so slow compared to AES-128. See from Cryptography
CPU overhead (+20% for a 192-bit key, +40% for a 256-bit key:
The PBKDF2's output size is equal to the used PRF function, in your case it is a hash function as SHA-256. Therefore the output will be in 256-bit size.
The PBKDF2's function requires a dkLen parameter - desired Key Lenght.
PBKDF2(PRF, Password, Salt, c, dkLen)
When you put 128 into this parameter you will get a 128-bit. The output is the substring of the full 256-bit output. You will get first 128-bit.
You can see it from implementations as here
What are the advantages of having a symmetric encryption algorithm with a lower probability of key retrieval than the asymmetric encryption used for transferal of symmetric key? I can see how it obligates the eavesdropper to concentrate on the asymmetric key, but are there other advantages?
Can we assume that same encryption key is used to encrypt data if encrypted data are same?
For example, plain text is 'This is sample'.
First time we use 3DES algorithm and encryption key to encrypt it. Encrypted data became 'MNBVCXZ'.
Second time again, we use 3DES algorithm and encryption key to encrypt it. Encrypted data became 'MNBVCXZ'.
My questions are:
Can I assume static encryption key is used in this encryption process?
How many keys can be used to encrypt data using 3DES algorithm?
Can I assume static encryption key is used in this encryption process?
Yes, if you perform the encryption yourself (with a very high probability), no if an adversary can perform the encryption and the plaintext/ciphertext is relatively small.
As 3DES does indeed have 2^168 possible keys and 2^64 possible blocks, it should be obvious that some keys will encrypt a single plaintext to the same ciphertext. Finding such a pair of keys requires about 2^32 calculations on average (because of the birthday paradox).
If the plaintext is larger (requires more than one block encrypt) then the chance of finding a different key that produces the same ciphertext quickly will go to zero.
If one of the keys is preset it will take about 2^64 calculations to find another key. And - for the same reason - there is only a chance of 1 / 2^64 to use two keys that unfortunately produce the same ciphertext for a specific plaintext.
If you want to make the calculations yourself, more information here on the crypto site.
How many keys can be used to encrypt data using 3DES algorithm?
2^168 if you consider the full set of possible keys, i.e. you allow DES-ABC keys. These keys are encoded as 192 bits including parity. This would include DES-ABA and DES-AAA keys (the latter is equivalent to single DES).
2^112 if you consider only DES-ABA keys. These keys are encoded as 128 bits including parity. This would include single DES.
The default params used for AES encryption with CryptoJS are:
Cypher: AES-256
Mode: cbc
Key Derivation: evpkdf (OpenSSL custom, MD5, 1 iteration)
Are these safe to use?
Related: What are the AES parameters used and steps performed internally by crypto-js while encrypting a message with a password?
Answering my own question; NO! ABSOLUTELY NOT!
CryptoJS by default does only a single iteration of MD5 hashing over the password, which is extremely weak unless the password is extremely strong!
Correct key derivation of arbitrary passwords should do key derivation with something along the 30k iterations!