Let's say I have a ciphertext encrypted with CTR.
And I know the nonce used to be encrypted as well as the AES key. Is it possible to decrypt the given ciphertext using ECB mode?
sorry if this is already asked, i looked around couldn't find anything
so I understand that Vigenere Cipher can be cracked, without key, by using frequency analysis and there are
some clever ways to get the key length.
My question is what if we encrypt the ciphertext again with a different set of keys?
All methods I've seen at obtaining the key length so far relies on frequency analysis of some sort.
The first round of encryption should give a pretty even distribution of letters, so if we
encrypt it again, then it should be disable any method that try to decrypt without the key.
Would this make it unbreakable?
No, hypothetically we can still apply frequency analysis on the new ciphertext, as the Vigenere cipher is still broken. You simply make it more difficult for an attacker to perform analysis, but all you're adding is a layer of obfuscation. This doesn't magically patch broken ciphers unfortunately.
Example, say we have a plaintext and encrypt it twice, using different keys
plaintext stackoverflow
key1 heapunderflow
key2 cryptographic
ciphertext boygxpezizdku
This would be equal as first encrypting key1 with key2 and then using that output as a key on the plaintext
key1 heapunderflow
key2 cryptographic
key3 jvyenbjvruswy (ciphertext of key1-key2 encryption)
plaintext stackoverflow
key3 jvyenbjvruswy
ciphertext boygxpezizdku
Of course, then we could still apply analysis. When the key is truly random, as long as the plaintext and only used once, only then is the Vigenere cipher hypothetically unbreakable, however, then the key provides the cryptography strength, not the cipher, in which scenario we refer to the system as a one-time pad.
I'm reading that it is because RSA has to do with math (prime numbers) while Symmetric key encryption is about taking blocks of data and modifying the blocks with replacements and remappings, but I still don't understand why Asymmetric encryption has to have longer keys because of that, or if that's even why?
For symmetric ciphers, the cipher strength depends on the key length assuming the cipher is not broken.
Asymmetric encryption is based on a trapdoor function (not necessarily prime numbers, there are others as well, such as elliptic curves or lattices). It should be one way function (for encryption) with very difficult computation of its inverse (decryption) without some kind of secret. So the strength of the asymmetric cipher depends on key length and as well on how difficult is to compute the function inverse with the specific key length
Example: breaking a 128 bit symmetric key would mean testing 2^128 numbers. Solving discrete logarithm problem (inverse of RSA) for 128 bit key will take much less time (we need to solve a math problem, not find a random key), so much longer key is needed to make up the same level of security
I read some white paper about RSA encryption. I find this statement. but I can't understood why?
Statment is The time for RSA encryption and Decryption depends on the key size, but does not depend on the size and content of input data, if this statment right meaningly wehen encrypt 1000 byte , 10000 byte same time for encrypt and decrypt?
The time is always the same because the input length is always the same.
The plain text is padded to the size of the RSA modulus. If the plain text is too long, you cannot encrypt it with RSA. Of course, you can split your plain text up and encrypt each chunk with an independent RSA operation, but this isn't how the algorithm was intended to be used.
RSA encryption is best suited as a key transport algorithm. You choose a symmetric key, and use an RSA public key to encrypt it. The symmetric key can be used for encrypting a lot of data with some algorithm like AES. This is much, much faster than using public key cryptography to encrypt and decrypt bulk data.
Is it possible to encrypt in one order and decrypt in another? For example I've got the following:
plain_text.txt
Public/Private Key pair 1
Public/Private Key pair 2
Example
Encryption:
public1(public2(plain_text.txt))
Decryption:
private1(private2(encrypted))
Is there any encryption algorithm that allows this? Is it even possible?
In most cases you can't change the order of the decryption.
Schemes that allow to reorder decryption are called commutative cryptosystems.
One public key cryptosystem that can be used to build a commutative cryptosystem is
the ElGamal encryption.
Here is just the main idea: Assume g is a generator of
a suitable group G, for which computing discrete logarithms is hard.
Let xA and xB be two private keys,
hA = g xA , and
hB = g xB
be the corresponding public keys. Both keys pairs use the same group
G (i.e. the same modulus p if we use G = Z/(p)). It is one advantage of the
ElGamal scheme that it still is secure if two users share the same group (or modulus).
RSA on the other hand will be insecure.
Encrypting a message m with hA gives the ciphertext
(m hAr, gr).
Note that knowing the secret key xA allows to decrypt because
(gr)xA = hAr
To encrypt the ciphertext a second time one would first re-encrypt the existing
ciphertext with A's public key.
He chooses a random r' and computes
(m hAr hAr', grgr') =
(m hAr+r', gr+r').
The result is just another valid encryption with A's public key.
This re-encryption is necessary to avoid an attack that works for example
against RSA with equal modulus as shown below.
Next, one would encrypt with B's public key giving
(m hAr+r' hBs, gr+r', gs).
Decryption is possible in either order, e.g. knowing xA allows to compute
(gr+r')xA = hAr+r'
and hence one can compute
(m hBs, gs),
which is just what we want: an encryption of m with B's public key.
There are a number of subtleties that need to be observed to get a secure implementation.
And getting this right isn't easy.
For more info see for example the Phd of Stephen Weis, which contains a chapter on commutative encryption.
There are a number of problems if the same idea is tried with "textbook RSA". First to make the encryption commutative it is necessary that both users A and B share the same modulus.
E.g. A uses (n, eA, dA) and B uses (n, eB, dB), where n is the modulus, eA, eB the public keys and dA, dB the secret keys. However, knowing for example (n, eA, dA) allows to factor n, and hence compute B's secret key, which is of course one big flaw.
Now we could encrypt m as
meA mod n,
encrypt again as
meAeB mod n,
decrypt with A's secret key giving
meB mod n,
and decrypt again with B's secret key to get m. That looks fine until one notices that
an attacker who can intercept the two ciphertexts c = meA mod n and c' = meB mod n can use Euclid's algorithm to find r,s such that
r eA + s eB = 1
and then compute
m = cr (c')s mod n.
The idea also works against the solution using RC4 proposed in another answer. Weis's thesis contains a detailed description of the attack.
With most public implementations of RSA it would not be possible. The decryption routine expects the plaintext to be in a specific format (i. e. properly padded) and fails if it's not. Again, on encryption it would apply padding to the plaintext, instead of using the blob as it is.
/*
The math of RSA allows for that, AFAIK, as long as the moduli of the two keys are coprime (which is true almost always). But you'll probably have to roll your own implementation.
*/
Another problem is that the numeric value of the plaintext block should be smaller than the modulus. So the modulus of the first key should be smaller than that of the second key, otherwise no guarantee that the first cyphertext would be a proper plaintext for the second encryption round.
OpenSSL has, I vaguely recall, a no-padding mode. You might have some luck with that.
EDIT: in general, coming up with your own cryptographic primitives is a bad idea in 99.9% cases. If your interest is purely academic, then be my guest; but if you're after a specific piece of applied functionality (i. e. encrypt something so that the consent of two nontrusting parties is needed to decrypt), then you're definitely on the wrong track.
EDIT2: the math of RSA allows for that if the moduli are identical. Scratch paragraph two. But having two keys share the same modulus compromises security very much. If Alice has private key (m, d) and Cindy as private key (m, d') - assuming same m - then Alice can determine d' in O(m) time, given a single plaintext/cyphertext pair from Cindy. Not good.
With public key/private key encryption, the answer is no. PubK1(PubK2(plain.text)) => encrypted.text. You must decrypt with PrivK2(PrivK1(encrypted.text)).
However, if you use a symmetric stream cipher such as RC4, then you could change the order of the decryption (A xor B xor C = C xor B xor A). But that is not a public/private key algorithm obviously.
This would only be true if the encryption algorithm behaved as a specific kind of mathematical group. Most (all?) block encryption algorithms are not such groups.
AFAIK this should be possible with slight modification to RSA. I do not know of any tool which can actually do it though.
No, it does not work. Very simply, you cannot guarantee unique decryption because one modulus is bigger than the other.
EDIT: I'm assuming this is RSA. If not, then I'd have to think about some of the others.
EDIT2: If you are always willing to use the smaller modulus first, then it does work.