tags:

views:

320

answers:

1
Q: 

AES 256 in CTR mode

ctr mode makes it possible to use a block cipher as a stream cipher but how strong will be the encryption in this mode ?

+3  A: 

Ultimately it depends what you mean by strong. For example from an encryption point of view, i.e. taking the ability of an attacker to decrypt your ciphertext without access to the key, it should be as strong as any other use of AES256 (there is some dicussion on differential analysis between individual cipher blocks with a known plain text but that would be a weakness of the encryption algorithm not of the CTR mode itself).

In the end whether CTR mode is appropriate will depends what you want to apply it to and how you implement it. A couple of things to bear in mind when using this mode would be:

  • The same nonce/counter sequence will create the same cipher stream therefore you must ensure you do not ever use the same values for a given key. Otherwise it might be possible for an attacker given a message with a known plain text to reuse the cipher stream to decrypt your current message).
  • As the stream cipher is XORed with the plain text it means that a 1 bit change in the ciphertext directly results in that bit changing in the decrypted data, therefore some sort of message integrity is paramount, most likely a HMAC so that an attacker cannot realistically generate the hash and correct that as well.
tyranid  2009-11-24 22:24:24
The relationship between flipped bits in plaintext and ciphertext has privacy implications, too. For example, if the attacker can obtain a copy of a plaintext block and its ciphertext at one point in time, he can read it for as long as the same key is used, even if it's been modified.
Nick Johnson  2009-11-25 00:16:02
Nick: That's why you must never, ever, re-use the same counter value with the same key in CTR mode (which is tyranid's first bullet point). If you modify a block, you **must** use a fresh counter value for it.
caf  2009-11-25 00:57:00
Sorry, you're right - I didn't read it closely enough. I was thinking of the situation where you use this to encrypt a mutable file, for example, by naively numbering each block after its position in the file.
Nick Johnson  2009-11-25 08:50:55
FYI: WinZip's AES encryption (http://www.winzip.com/aes_info.htm) uses CTR mode, and a SHA1 HMAC (as suggested by tyranid). The nonce always starts at zero. To generate the key, it uses the RFC 2898 PBKDF2, with a random salt, of 1/2 the key size.
Cheeso  2009-11-25 19:16:44

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords