Reputation: 12945
How to check the validity of an AES algorithm?
I use a code who do AES encoding, and I use it for more than 10 years. The problem i don't know if this code is well written or not! The algorithm was written more than 15 years ago, is very tiny (only one hundred of lines) and can compile on ios/android/windows 32bit-64bit/MacOs.
For example in the code i saw that :
The password is hashed with MD5 (so in 16 bytes) before to be send to the encryption algorithm. I can of course change this part easily but what other algorithm to use ? SHA2 ?
The iV is initialized with current time, and then the first block of the compression output is the iV (so it's public). Don't know if it's good or bad !
What else i need to check ?
Now how can i check the validity of the output to know if everything work as expected ?
Upvotes: 1
Views: 1758
Answers (1)
Reputation: 12085
use a code who do AES encoding, and I use it for more than 10 years. The problem i don't know if this code is well written or not!
It is called encryption. And from the question ( ~ 100 lines) I assume you'd like to validate a code which is using AES encryption, not the AES encryption itself. I wrote a small blog about encryption. It is focused on Java, but principles are universal
The password is hashed with MD5 (so in 16 bytes) before to be send to the encryption algorithm. I can of course change this part easily but what other algorithm to use ? SHA2 ?
Do you mean - hash of the password is used as an encryption key? (I see that often) If that's the case, it may be not sufficient today. If the passwords are human-provided (not long random data with high entropy), it's better to use some PBKDF to generate an encryption key from a password.
The iV is initialized with current time, and then the first block of the compression output is the iV (so it's public). Don't know if it's good or bad !
IV needs to be unique and may be public. Some encryption modes (e.g. CBC) requires IV to be unpredictable (random)
What else i need to check ?
You may check if the AES implementation itself is provided by some mature library/framework to prevent some side-channel attacks.
As well data should be authenticated (signed, appended hash, ..) to prevent maleability (it is called authenticated encryption)
Now how can i check the validity of the output to know if everything work as expected ?
well - it's only you who can tell of the output is correct or not.
Upvotes: 1
Related Questions
- How to check the validity of a symmetric key?
- Key verification in AES
- Security of an authentication algorithm
- How To know the AES Encryption Key is correct at the receiver side?
- How to validate AES decryption was successful?
- How Can/Should I Test The AES Algorithm
- Verify key is correct using pyCrypto AES decryption
- Is it possible to check the integrity of data encrypted using AES?
- Why would it be impossible to mannually test AES algorithm?
- Testing a implemented algorithm in cryptography