Decryption type and breaking (AES 128?)

views:

397

answers:

+2 Q:

Decryption type and breaking (AES 128?)

Hi,

My question has 2 parts. The first one is "what possible type of encryption i am on" and the other is, "what is the chance of breaking it" (as soon as the encryption algorithm was found).

So, I got the original file and the encrypted one and I was able to test the behaviour of the encrypted when something changes in the original. The most important clues I've found are:

The original and encrypted file have the exact same size (take note that the size is product of 0x10 = 128-bit)
The encryption block size seems to be 128-bit. When a byte changes on the original file, the same 128-bit block changes on the encrypted file and, sometimes (maybe) the previous or next block. But most times only this block. And the rest of the file doesn't change at all.
There are repeated sections on the original files (e.g. 16 bytes of 00 value) but non of them have the same 128-bit block result on the encrypted file. So, 16 bytes of 00 in the 2nd block has different encrypted result than 16 bytes of 00 on the next block.

Working that clues in mind, could you guess what type of algorithm could it be? I was thinking it is an AES 128-bit, but clue #2 excludes CBC mode, while clue #3 excludes ECB! Seems to be something "between" those... Could it be AES 128 on any other mode? What else could you think?

In case there is a couple of known algorithm which could possibly result on that behaviour, what are the chances of being able to break it, knowing the original data and being able to do tests on changes to the 2 files?

Thanks in advance

[EDIT: Bad guess deleted.]

I assume you know the basic description of block ciphers. For those who don't:

Wikipedia: Block cipher modes of operation

JXG 2009-11-02 17:11:41

Counter Mode is a reasonable guess.

Jonathan Leffler 2009-11-02 18:03:22

Nice guess. But what about the 2nd part of my question? Should it be brute forse attack or it should be some other way to find the pass? Thanks for your help, anyway. Really helped

SVicon 2009-11-02 18:33:55

Can't be Counter Mode, because otherwise a single-byte change in the input would only change the corresponding byte in the output, rather than the whole block.

caf 2009-11-03 12:13:24

+2 A:

It sounds like it is a variation on ECB mode, where the plaintext block is XORed with a nonce that is derived from the block's position in the file before being encrypted in ECB mode.

This would result in the observed characteristics:

No increase in file size (so therefore no IVs);
A single byte change in the input affects an entire block of the output.

(The nonce could be as simple as a counter).

This scheme is weak. It would be susceptible to the same kind of frequency-analysis attacks that work against ECB mode - it would just take more ciphertext. Also any plaintext/ciphertext pairs you collect are re-usable for the same block positions in any unknown ciphertexts you find.

caf 2009-11-03 12:19:05

But a scheme like this wouldn't explain why (sometimes) blocks before or after the block which was modified change. Otherwise I would have thought it something like that too (say XEX, LRW, or XTS mode), but none of these modes have this neighbor modification property.

Jack Lloyd 2009-11-04 14:36:43

Well, the OP does say "maybe" about those blocks changing, so I discounted that. However that could actually just be an effect of ciphertext stealing in a mode like XTS, if the file is broken into segments that aren't a multiple of the blocksize.

caf 2009-11-05 00:15:19

Thanks for the help. Maybe this makes sense more than CTR. I know some sections that should be, originally, all 00, so i guess i could do something with this ("attack" the 00 blocks). Any suggestion for something specific?

SVicon 2009-11-07 19:35:57

ansaurus

tags:

views:

answers:

Decryption type and breaking (AES 128?)

related questions