tags:

views:

280

answers:

5
+14  Q: 

If attacker has original data and encrypted data, can they determine the passphrase?

If an attacker has several distinct items (for example: e-mail addresses) and knows the encrypted value of each item, can the attacker more easily determine the secret passphrase used to encrypt those items? Meaning, can they determine the passphrase without resorting to brute force?

This question may sound strange, so let me provide a use-case:

  1. User signs up to a site with their e-mail address
  2. Server sends that e-mail address a confirmation URL (for example: https://my.app.com/confirmEmailAddress/bill%40yahoo.com)
  3. Attacker can guess the confirmation URL and therefore can sign up with someone else's e-mail address, and 'confirm' it without ever having to sign in to that person's e-mail account and see the confirmation URL. This is a problem.
  4. Instead of sending the e-mail address plain text in the URL, we'll send it encrypted by a secret passphrase.
  5. (I know the attacker could still intercept the e-mail sent by the server, since e-mail is plain text, but bear with me here.)
  6. If an attacker then signs up with multiple free e-mail accounts and sees multiple URLs, each with the corresponding encrypted e-mail address, could the attacker more easily determine the passphrase used for encryption?

Alternative Solution

I could instead send a random number or one-way hash of their e-mail address (plus random salt). This eliminates storing the secret passphrase, but it means I need to store that random number/hash in the database. The original approach above does not require storage in the database.

I'm leaning towards the the one-way-hash-stored-in-the-db, but I still would like to know the answer: does having multiple unencrypted e-mail addresses and their encrypted counterparts make it easier to determine the passphrase used?

+5  A: 

Yes, it does make it easier. In general, the more information the attacker has, the easier their job becomes. This specific example is called a known-plaintext attack.

Eric Melski  2010-04-06 18:08:40
But for a well-designed encryption method it is still so hard that it is not a problem.
starblue  2010-04-06 18:13:34
Modern ciphers are designed to resist not only known-plaintext attacks, but adaptive chosen-ciphertext attacks. Designing your protocol on the assumption your primitives are weak is a big mistake; pick trusted primitives.
Paul Crowley  2010-04-07 10:30:03
+11  A: 

What you're describing is a known-plaintext attack. Classical ciphers were very vulnerable to this sort of attack, but modern ciphers are designed to resist it.

You'll want to read up a bit on crypto.

Rob Lachlan  2010-04-06 18:09:30
+1 for the recommendation to read up on Crypto.
fbrereto  2010-04-06 18:13:20
any suggested reading?
Brad Cupit  2010-04-07 23:07:47
+3  A: 

Although you can probably, with some research, choose a strong enough cryptographic method to resist the known-plaintext attack, is it really worth it just to avoid storing a hash in your database?

Using a single passphrase to encrypt all registration requests seems like you're adding an unnecessary single point vulnerability: if an attacker does crack that passphrase somehow, they can register as many accounts as they want. If, on the other hand, you generate for each new account request a one-time hash (of email address+random number, for example) to authenticate the confirmation URL, even a hacker who intercepts the confirmation email for account A is no closer to getting access to B, C, or D.

You probably want to store some state information about the confirmation process in a database anyway: there should probably be a time limit on how long the confirmation URL is valid.

David Gelhar  2010-04-06 18:23:31
Actually, I think vulnerabilities due to poor generation of 'random' hashes/secrets are at least as likely, if not more, as any risks from introducing a single secret key.
Nick Johnson  2010-04-06 21:38:34
+3  A: 

What you need is not encryption, it is authentication. In the link you send to customers, you include not only their email address, but a timestamp and what is called a MAC, which is a symmetric-key based authentication field. The MAC should authenticate both the email address and the timestamp. 64-bit HMAC-SHA1 should do you. When you receive the link, check that the timestamp is not too far in the past and the MAC verifies; then you know you generated the link.

MACs are designed to resist attacks where attackers get to choose messages and ask for the corresponding MACs, so you don't need to worry about the MAC equivalent of a "known plaintext attack".

Paul Crowley  2010-04-07 10:33:16
+1  A: 

There is one scenario where the answer is YES!!! And that is if you use a stream cipher, such as RC4.

RC4 is essentially a random number generator that simply XORs the plaintext with a 'key stream' derived from your key:

P0 ^ K0 = C0
P1 ^ K1 = C1
P2 ^ K2 = C2
.
.
PN ^ KN = CN

If you have both the plaintext and the ciphertext, you can do this:

C0 ^ P0 = K0
C1 ^ P1 = K1
C2 ^ P2 = K2

and so on. As you can see, you get the key stream back. Not the key, but the stream generated by the key.

Michael Howard-MSFT  2010-04-07 15:04:37
ha, nice! I was thinking more along the lines of Triple DES or AES rather than XOR, but thanks for the tip.
Brad Cupit  2010-04-07 16:36:45
RC4 is broken and shouldn't be used. A modern stream cipher will have two parameters, the key and the "nonce". The same key may be used many times so long as no nonce is ever re-used with a specific key.Even if you're using Triple DES or AES, these are block ciphers; when you use a chaining mode you effectively use them to build stream ciphers, so the same considerations apply. One popular chaining mode is CTR mode, which uses XOR to combine the stream with the plaintext. All secure chaining modes require that the nonce not be re-used, not just CTR.
Paul Crowley  2010-04-08 16:02:52
"All secure chaining modes require that the nonce not be re-used" - that's why 'nonce' == 'number once' :-)
Michael Howard-MSFT  2010-04-09 02:30:23

related questions

How to implement password protection for individual files?
Encrypting appSettings in web.config
Usefulness of SQL Server "with encryption" statement
How can I use a key blob generated from Win32 CryptoAPI in my .NET application?
CodeReview: Tiny Encryption Algorithm for arbitrary sized data
Simple encryption implementation in C
Which hard disk encryption software to choose?
Passing untampered data from Flash app to server?
How do I prevent replay attacks?
Is there a best .NET algorithm for credit card encryption?
Encrypt data from users in web applications
How to encrypt one message for multiple recipients?
Two-way password encryption without ssl
What's the answer to this Microsoft PDC challenge?
GPG: How does key signing work and how is it done?
Secure Online Highscore Lists for Non-Web Games
Programmatically encrypting a config-file in .NET
How do I use 3des encryption/decryption in Java?
Encryption in C# Web-Services
Suitable alternative to CryptEncrypt
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
C# - CryptographicException: Padding is invalid and cannot be removed
How can I encode xml files to xfdl (base64-gzip)?
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Encrypting Passwords