Score:1

Crypto

Is there a standard way of scrambling the output of AES?

Rolands Laucis

12/29/23, 11:57 AM

So I needed symmetric encryption for my program. I landed on AES 192 bits in the CTR mode, because of some Computerphile videos on YouTube.

After using it with the Node.js "crypto" lib implementation, I noticed that some of the outputs are very similar. The output is created from a UTF-8 SQL syntax string input and digested to base64. Based on what know so far, this makes sense, since a lot of SQL strings would start the with the same text, e.g. "SELECT ...", and AES works with independent blocks of data. I also append a random integer to the end of each of these inputs, but cannot at the start (because of the specific situation).

Is it a problem, that the start of a crypt can be easily guessed? If so, is there a way to scramble the output, such that it can be unscrambled later with the same key and IV?

Are there alternative algorithms or modes that do this kind of thing? I need the output to be unintelligible and unalterable.

146

1 + 6

aes

ctr

scrambling

Morrolan

12/29/23, 12:02 PM

To clarify: Are you reusing the same IV for multiple encryptions? If so then that is extremely ill-advised, see. e.g [this](https://crypto.stackexchange.com/questions/1849/why-should-i-avoid-using-a-randomized-iv-for-ctr-mode) answer.

samuel-lucas6

12/29/23, 1:31 PM

In addition to the above, don't use AES with a 192-bit key; nobody does that. Stick to a 256-bit key instead. Furthermore, AES-CTR isn't authenticated, so an attacker can modify ciphertexts undetected. Ultimately, you'd be better off with a nicer cryptographic library like [libsodium](https://doc.libsodium.org/) and using an AEAD mode such as ChaCha20-Poly1305 or AES-GCM, soon AEGIS.

Rolands Laucis

12/29/23, 4:17 PM

> Are you reusing the same IV for multiple encryptions? Yes. If it were random, how would the decrypting function know it ahead of time for each messsage? Is that a design problem for me to solve? > In addition to the above, don't use AES with a 192-bit key; In the youtube videos the guy mentioned lots of internet traffic still use 128bit. But oke i can switch to 256. And i did also find GCM mode and am gonna try that next. The Node.js std "crypto" lib is built on OpenSSL, and i dont really want extra dependencies, but tnx for the info.

SAI Peregrinus

12/29/23, 5:17 PM

You send the IV along with the ciphertext. It's not secret. It's usually best if it's just a counter.

samuel-lucas6

12/30/23, 9:01 AM

@RolandsLaucis Yes, lots of services still use a 128-bit key, but a 256-bit key is more conservative for post-quantum security and protects against multi-target attacks (attacking many users at once). The main competitor to AES (ChaCha20) only supports 256-bit keys, and I think many people would agree that's a good thing. Regarding dependencies, fair enough, although if an additional dependency prevents people from making a mistake, I'd say it's well worth it. I believe Tink is developing a JavaScript version, and that's about as misuse resistant as it gets.

eesiraed

1/2/24, 1:24 AM

In case this isn't already clear to you, you should not be relying on the security of your code. As the answer pointed out, you've already made two devastating mistakes: using CTR mode with a constant IV, and using CTR mode when you want to detect tampering with the ciphertext. These likely would have allowed an attacker to recover the entire plaintext and change it to whatever they want by manipulating the ciphertext. There's no reason to believe that there aren't more critical errors in your code.

Score:4

Crypto

fgrieu

12/29/23, 8:39 PM

Is it a problem, that the start of a ~~crypt~~ ciphertext can be easily guessed?

That happens by design for excellent encryption systems, e.g. because every ciphertext starts with a version and key identifier. But in the case at hand, that's the symptom of a devastating error: AES-CTR is being used for different records with the same constant IV, therefore the cipher degenerates to XOR with a constant bitstring, which is very poor encryption.

AES-CTR mode is designed to be used as follows:

At encryption of each cryptogram, it's chosen a fresh IV, usually 8-bytes, by some process than makes it very unlikely that the same IV will be chosen again for a given key. An incremental counter might do, if there's no way it can be reset†.
That IV is put as the first bytes of the ciphertext. These bytes are used at decryption to get the IV.
That IV is extended to 128-bit, typically internally to the implementation of the CTR-mode cipher.

I need the output to be unintelligible and unalterable.

Then do not use AES-CTR. It aims only at confidentiality of the data, not integrity, which typically is also an operational requirement, and one we read in "unalterable". For this we have authenticated encryption, e.g. AES-GCM, and variants of that which make nonce (aka IV) reuse a lesser disaster, e.g. AES-GCM-SIV.

Caution: defining the operational requirement of cryptography in database applications is hard. For example, when encrypting the answer to a secret question used for user authentication purpose, authenticated encryption of that data in isolation is not enough (because it still allows substituting the unknown answer with a known one). One solution to that is to enter the identification of the cell encrypted as GCM Additional Authenticated Data.

† It's often difficult to keep track of which IVs have been used. One strategy then is to generate the IVs at random: probability of two identical $b$-bit IVs after $n$ are drawn is no more than $n(n-1)/2^{b+1}$ if a working true random number generator is used. Up to $n$ in millions, that's fine for the usual $b=64$. Above that, an option is to use $b=80$ or $b=96$, noting that no more than $2^{132-b}$ bytes should be encrypted with the same IV.

+ 1

Rolands Laucis

12/30/23, 10:07 AM

Thank you for the detailed answer and the others that commented on this question! Given this discussion, i now realize how silly my question was. I have implemented the randomized IV into my program, and indeed the results are what i wanted to see. As per the suggestion of AES-GCM-SIV, i am reading the linked resources and will attempt to use it instead, though it does introduce complications.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is there a standard way of scrambling the output of AES?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.