views:

320

answers:

1

ctr mode makes it possible to use a block cipher as a stream cipher but how strong will be the encryption in this mode ?

+3  A: 

Ultimately it depends what you mean by strong. For example from an encryption point of view, i.e. taking the ability of an attacker to decrypt your ciphertext without access to the key, it should be as strong as any other use of AES256 (there is some dicussion on differential analysis between individual cipher blocks with a known plain text but that would be a weakness of the encryption algorithm not of the CTR mode itself).

In the end whether CTR mode is appropriate will depends what you want to apply it to and how you implement it. A couple of things to bear in mind when using this mode would be:

  • The same nonce/counter sequence will create the same cipher stream therefore you must ensure you do not ever use the same values for a given key. Otherwise it might be possible for an attacker given a message with a known plain text to reuse the cipher stream to decrypt your current message).
  • As the stream cipher is XORed with the plain text it means that a 1 bit change in the ciphertext directly results in that bit changing in the decrypted data, therefore some sort of message integrity is paramount, most likely a HMAC so that an attacker cannot realistically generate the hash and correct that as well.
tyranid
The relationship between flipped bits in plaintext and ciphertext has privacy implications, too. For example, if the attacker can obtain a copy of a plaintext block and its ciphertext at one point in time, he can read it for as long as the same key is used, even if it's been modified.
Nick Johnson
Nick: That's why you must never, ever, re-use the same counter value with the same key in CTR mode (which is tyranid's first bullet point). If you modify a block, you **must** use a fresh counter value for it.
caf
Sorry, you're right - I didn't read it closely enough. I was thinking of the situation where you use this to encrypt a mutable file, for example, by naively numbering each block after its position in the file.
Nick Johnson
FYI: WinZip's AES encryption (http://www.winzip.com/aes_info.htm) uses CTR mode, and a SHA1 HMAC (as suggested by tyranid). The nonce always starts at zero. To generate the key, it uses the RFC 2898 PBKDF2, with a random salt, of 1/2 the key size.
Cheeso