Score:0

Using the hash of the plaintext as the key

cn flag

I want to start off by being very clear: I'm not designing a system around this, this is 100% a hypothetical I was toying with.

Is there any harm in using the cryptographic hash of a plaintext as the key? For instance, if my message was Hello, world!, that produces the SHA256 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3. Is there any weakness in using this as a key?

If my system used a pre-determined set of messages, then I can clearly see the attack: hash all the messages, and try them all as keys.

So questions:

  1. Is there any immediate weakness (assuming the messages I'm sending aren't pre-canned)?
  2. Is using a nonce enough to overcome any weakness when using AES?
  3. If not using a nonce, is it still viable?
poncho avatar
my flag
Is this a cipher (that is, one in which the receiver is expected to decrypt)? If so, how does the receiver get the key?
John Smith avatar
cn flag
Does that matter? I'm not being snarky, I'm legitimately curious if that affects the answer. Can we just assume that's a separate problem? Let's say I hand the receiver the key/hash written on a piece of paper (i.e. abstract the problem away)
kelalaka avatar
in flag
Does this answer your question? [Is Convergent Encryption really secure?](https://crypto.stackexchange.com/questions/729/is-convergent-encryption-really-secure)
cn flag
Today's requirements for encryption is at the very least "IND-CPA". Which this fails. So in terms of encryption, this doesn't work. As a hash function, it's probably fine.
Score:1
in flag

The biggest issue is of course that you would need to know the message to be able to decrypt it.

Is there any immediate weakness (assuming the messages I'm sending aren't pre-canned)?

Pre-canned is too loose a term. If an adversary can guess the plaintext in any way then the key would become known. The security of AES would be downgraded if the entropy in the message is lower than the key size.

Note that it is assumed that the adversary knows the hash function used (the Kerckhoff principle), so no security can be gained from that.

Is using a nonce enough to overcome any weakness when using AES?

AES doesn't use a nonce. Cryptographic schemes and block cipher modes of operations such as GCM may use a nonce. However, a nonce doesn't remove any other vulnerabilities of the scheme or mode of operation. Having a nonce may be a pre-condition for a specific scheme or mode of operation, but that's about it.

If not using a nonce, is it still viable?

No, it is not a good idea.

Possibly you would need to take a look at password based key derivation functions instead (PBKDF functions, also known as password hashes). These provide healthy things such as a salt and work factor / iteration count. The salt is probably the kind of nonce-usage that you are looking for, and the work factor makes it harder to guess the message.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.