Badly implementing encryptionPart X-Additional data
This series has been going on quite a bit longer than I intended it to be. Barring any new developments or questions, I think that this will be the last post I’ll write on the topic.
In a previous post, I implemented authenticated encryption, ensuring that we’ll be able to clearly detect if the ciphertext we got has been modified along the way. That is relevant because we have to think about malicious actors but we also have to consider things like bit flips, random hardware errors, etc.
In most crypto systems, we have to pass some metadata about the encrypted messages that we pass. Right now, this is strictly outside our scope, but it turns out that there is a compelling reason to consider that plain text data as well. For example, let’s say that I’m sending a number of messages. I have to include the message length and its position in the set of messages I sent in the clear. Otherwise, the receiver might not be able to make sense of that. When we need to decrypt the message, we want to include that additional information (which wasn’t encrypted) as well.
The reason for that is simple, we want to ensure that the other data hasn’t been modified using the same cryptographic tools we already have. It turns out that this is quite simple, check out the code:
We added a parameter for the encryptSivWithNonce() and decrypt() functions that has the buffer of all the associated data for this message. And all we need to do is add that to the MAC computation as well. On the decrypt(), we do the exact same. We compute the hash from the encrypted text and the additional data and abort if they aren’t an exact match.
And with this in place, we implemented a (probably very bad) encryption system from a single primitive (MD5) and brought it to roughly modern standards of AEAD encryption (Authenticated Encryption, Additional Data).
I want to emphasize that this entire series is meant primarily to go over the details of how you build and use an encryption system, not to actually build a real one. I didn’t do any analysis on how secure such a system would be, and I wouldn’t want to trust this with anything beyond toying around.
If you have any references on similar systems, I would be very happy to learn about that, I doubt that I’m the first person who tried to build stream cipher from MD5, after all.
More posts in "Badly implementing encryption" series:
- (24 Feb 2022) Part X-Additional data
- (23 Feb 2022) Part IX–SIV
- (22 Feb 2022) Part VIII–timings attacks and side channels
- (21 Feb 2022) Part VII–implementing authenticated encryption
- (18 Feb 2022) Part VI–malleable encryption
- (17 Feb 2022) Part V–nonce reuse
- (16 Feb 2022) Part IV–keyed hash function
- (15 Feb 2022) Part III–breaking your encryption apart
- (14 Feb 2022) Part II–breaking the code
- (11 Feb 2022) Part I
Comments
Wow, just in time this hits:
https://threatpost.com/samsung-shattered-encryption-on-100m-phones/178606/
IV reuse
Peter,
Ouch!
Comment preview