Is Finding the Symmetric-Key possible when is Message short and known to an attacker?

Question

Hello,

I need to encrypt several parameters in a request (with Java, AES(cbc), 128 BIT Key):

String toencrypt = "name+birthdate+appid+userid"

I have to assume that an attacker can guess all the values. What does this have for an impact on guessing/finding the symmetric key? Are symmetric Keys nevertheless secure even if the content that has been ciphered is known to an attacker? What is the rough estimated "factor" that this makes finding the key easier? (For example it might be 1000 faster to find the key as without the known content...)

(My question is solely on the impact of this fact that the content to be ciphered could be known to an attacker. I have, due to length restrictions, no possibility to include any "random" characters or salt etc.).

And another related question. What is the security impact if I choose for the "Initialization Vector" of the AES function the same data as used for initializing the key? Does this have any Impact on the security?

Thank you very much! Markus

Answer 1

This is called a known-plaintext attack. All decent crypto including AES is not vulnerable to it.

By definition, only the encryption key is secret. Init vector, key derivation algorithms etc. are assumed to be known. So if you use the same data for both IV and key, there's a possibility of weakening your security. You could run the data through a cryptographically strong hash so that going from known IV to key requires reversing the hash first. But it's even better to not use any data related to key generation for anything else at all..

Answer 2

This scenario is called "plain text attack":

Classical ciphers are typically vulnerable to known-plaintext attack.

AES has been designed to withstand such attacks.

How it works: If you run a program, then you should be able to run it in reverse, too, right? For example, a + b = c. If you know c (the result) and a (the plain text), you can derive b.

This doesn't work for all operations, though. Take modulo: a % b = c with a = 0x41 and c = 1. In this case, b could be many values. AES uses a lot of these to make sure you can't calculate your way back through the algorithm to derive the key from the original message.

Answer 3

You might reduce the guessing factor by adding a random value to your data. Which you then discard after decrypting the value again.

Answer 4

The first two answers that showed up both start off with "This is a plaintext attack" which does not actually seem to be the case. Markus states that "an attacker can guess all the values", and "that the content to be ciphered could be known to an attacker". This is not the same as "an attacker does know the content". A plaintext attack also requires that an attacker knows which plaintext results in which ciphertext, which is a little ambiguous in the question but seems like "no". It sounds like the attacker has access to the encrypted strings, and can only guess what the fields in the plaintext might be, and the question is regarding what effect this would have on the security of the key.

The good news is that those two answers are right in that "All decent crypto including AES is not vulnerable to it." and "AES has been designed to withstand such attacks". So (again quoting from the question) "even if the content that has been ciphered is known to an attacker", the answer is no - the keys are not necessarily vulnerable even if the plaintext is known.

At a higher level, it seems like there could be more understanding on the motivations for using crypto. Bruce Schneier (author of Applied Cryptography) would rather you think of it not in terms of how strong your crypto is, but how you manage your risk. Using AES to encrypt some strings is basically saying that "an attacker will need about so-and-so amount of compute power to brute force break the crypto, and a known plaintext attack will reduce it by so-and-so amount, and that sort of time on a supercomputer will cost X thousands of dollars", so basically you're managing risk by thinking in terms of how much value the secret is, and how much it will cost to replace/restore that secret. If your adversary is willing to spend that much, you better make sure the crypto is the WEAKEST part of your system - they could spend a fraction of that to bribe a rogue sysadmin and do an inside job, for instance. The other side of insight is to understand that Moore's law will make crypto breaking cheaper, so if you use strong crypto, you should understand it's limitations - it basically gets weaker as time goes by.