Which encryption method support 256 bytes block size?

Flole

4/2/24, 6:24 PM

I am looking at some secret encryption method that apparently uses CBC and a block size of 256 bytes. I can do a chosen-ciphertext-attack. When I modify a single byte in the ciphertext a complete block of 256 bytes in the plaintext is corrupted, plus a single byte at the same offset in the following block. That leads me to the conclusion, that this is using a 256 byte block size which is huge.

Additionally the last bytes are disappearing when I do any modification, so I believe there is some kind of padding involved? The ciphertext is always a multiple of the blocksize.

How could I figure out which encryption is used here? It is running on a microcontroller, so resources are limited.

0 + 6

cryptanalysis

block-cipher

chosen-ciphertext-attack

fgrieu

4/2/24, 6:55 PM

The conclusion about CBC makes sense. It's hard to guess what 2048-bit block cipher that could be. I don't know anything common, but it's easy to build one.

Flole

4/2/24, 7:20 PM

@fgrieu So you are assuming that something custom is in use here? I did some quick research aswell and found several resources stating "don't use such huge block sizes, the performance will suffer". If someone comes up with their own, "easy" cipher, I assume chances it is vulnerable to some kind of analysis are not that bad? Is there anything I could do to get more insights by throwing data into it? I know that the IV is static 0x00 and decrypting something twice doesn't give back the original ciphertext text but something completely different, so decrypt(decrypt(ciphertext)) is != ciphertext.

fgrieu

4/2/24, 7:36 PM

Yes a 2048-bit block cipher is most unusual, thus likely custom, or recycling of something else outside it's standard use. One idea (that would make sense in a CTF, less IRL) would be textbook RSA (or the Pohlig–Hellman exponentiation cipher). To test that: these have the property that E(0)=0 and E(1)=1. This property is quite testable from an encryption or decryption oracle, as you seem to have. For E(1) you have to guess the endianness.

Flole

4/4/24, 1:37 PM

@fgrieu I'm not entirely sure I understand what you mean: You mean if I decrypt a block of 0x00 it should lead to a block of 0x00? That's not the case. Unfortunately this isn't just a CTF but this is some real-life crypto.

fgrieu

4/4/24, 1:41 PM

Yes that's the test I was proposing (though because of CBC you'd want to decider two consecutive blocks of zeroes, or set the IV and the first block to zeroes). If it does not lead to a deciphered block of zeroes, my idea is ruled out. There remains de-compilation, debugger, side channels, of for something totally weak observing how 1-bit changes in plaintext or ciphertext propagates. Contrary to movies, cryptanalysis of unknown ciphers is extremely hard.

Flole

4/4/24, 2:41 PM

I did this test with the first 2 blocks to figure out the IV (and as the first 2 blocks when set to 0 and decrypted contained the same, high-entropy data I figured out that the IV must be 0x00). My first attempt was to do decompilation but I wasn't able to gain access to the firmware, so this was another small hope that I had.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Which encryption method support 256 bytes block size?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.