Reputation: 121
Vulnerable IV and salt in AES encryption
I'm checking this AES encryption/decryption project http://www.codeproject.com/Articles/769741/Csharp-AES-bits-Encryption-Library-with-Salt
But I read that it has vulnerabilities with IV and salting. How can these vulnerabilities occur?
I know AES is immune to known plaintext attacks but if this implementation is wrong, is there a easy way to break it and get the key or plaintext?
Upvotes: 2
Views: 477
Answers (1)
Reputation: 61922
That code contains multiple versions. The last version with a random salt (Getting Randomized Encryption Result with Salt) is almost ok.
As you can see, the IV is generated from PBKDF2 which means that the same IV will be produced when the same salt and password are used. This is an undesirable effect, because it means that the same plaintext will create the same ciphertext. An attacker might deduce that you sent the same message again by only observing ciphertexts. This is of course not semantically secure which is why some randomness is necessary. A way to solve that would be to use a random salt.
Another problem with this code is the low iteration count of 1000. Nowadays, an iteration count of at least 60,000 up to a couple of million should be used. Otherwise, it gets easy for an attacker to try a lot of popular passwords and find the one password you used. So, increasing the iteration count would also severely limit the throughput for an offline attacker.
Another important problem with the code is that there is no authentication of the ciphertext. Depending on your system architecture, an attacker might launch a padding oracle attack and decrypt any ciphertext that you have sent with multiple online queries. The way to protect against that would be to use an authenticated mode of operation like GCM or EAX, or employ an encrypt-then-MAC scheme with a strong MAC like HMAC-SHA256.
The last problem is that PBKDF2 is used to derive the key and the IV from the password. This is not a good idea.
I've found this code which doesn't seem to have any of the problems discussed above.
Upvotes: 3
Related Questions
- How do i use random salt and random iv in aes encryption and decryption algorithm?
- AES 256 encryption can't get IV from byte array correctly
- Symmetric Encryption (AES): Is saving the IV and Salt alongside the encrypted data safe and proper?
- Security of AES encryption with constant salt
- How to securely handle AES “Key” and “IV” values
- AES 256 encryption by passing IV
- AES encryption key and IV
- How to implement AES with IV attached to the encrypted message
- AES Two Way Encryption with Salting
- Q about AES (CBC) and IV (Is it possible to continue with aes(CBC) encryption? ,... )