-1

If I would know the clear and encoded versions of a string could I somehow find the password and.or iv that wore used to encode it?

Encoding done with open_ssl aes-128-cbc.

matttt
  • 1
  • 6

3 Answers3

4

No. This would amount to a known-plaintext attack on AES.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • So the answer is NO I cannot. Or it would take forever but it would be possible? Or it can be done and not very hard? Simple answer please. I'm not an expert like you. – matttt Sep 25 '12 at 10:20
  • The only way to do it would be to crack the IV and key. It's likely to take longer than the current age of the universe. – Polynomial Sep 25 '12 at 10:28
  • So the IV and key cannot be cracked even if one would know the decoded string. – matttt Sep 25 '12 at 10:33
  • Yes, via a bruteforce, but as I said it'd take a very very very long time (millions of years). Any method that reduces the attack time to below that of a bruteforce is considered a break, so if it *were* possible to retrieve the key from a known plaintext and ciphertext pair, you would have broken AES. – Polynomial Sep 25 '12 at 11:05
  • @drjimbob The IV is not the first 16 bytes of encrypted message. It's *combined with* the first 16 bytes (first block) of the message. That's how CBC works. – Polynomial Sep 26 '12 at 07:41
  • @drjimbob I think you misunderstood. Each block is combined with the *previous* ciphertext block. For the first block, there isn't a previous block to combine with, so the IV is used. – Polynomial Sep 26 '12 at 15:12
  • @drjimbob If the IV is derived from `pass`, and both parties know `pass`, the IV is known. – Polynomial Sep 26 '12 at 15:33
  • @Polynomial - On further inspection (getting php 5.3.3+ up and running in a VM), it appears I was wrong. I still think the design of solidauth.com is quite weird and insecure (non-constant-time string compare). The output of the php function openssl_encrypt does not include the IV (and if no IV is provided it uses "" as an IV). – dr jimbob Sep 26 '12 at 16:40
3

Usually the IV is known, and encoded with the message. It is not secret (it is an IV, not a key).

If the encryption system is any good, there is no (known) way to recover the key from the knowledge of everything else (plaintext, ciphertext, IV) which would be faster than trying all possible keys until a match is found (this is exhaustive search, colloquially known as brute force). If the key is large enough (i.e. more than about 80 bits or so), this is infeasible with existing technology and energy (see this answer for details). Each additional key bit doubles the attacker's effort, so a 128-bit key is very far from being attackable, even with tomorrow's technology.

This property shall be maintained (then again, if the algorithm is good) even if the attacker can obtain billions of plaintext/ciphertext pairs, even if he gets to choose the plaintext (chosen plaintext attack) or even the ciphertext (chosen ciphertext attack, i.e. attack on a decrypting box).

To the best of our knowledge, AES is good and OpenSSL uses it properly.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • What is the IV is not known. Can it be found from just the encoded and decoded forms of a string? – matttt Sep 25 '12 at 12:11
  • 1
    @matttt: the IV is chosen by whoever _encrypts_ but must be known by whoever _decrypts_. Since a new IV is needed for each message, it would be inconvenient to make it a shared secret between sender and receiver, and since it does not _need_ to be secret, it is added as part of the encoded message. In some cases, where there is a per-message key, e.g. derived from a password, the IV can be password-derived as well. Either way, it does not change the response: with or without the IV, the attacker should not be able to recover the key. – Thomas Pornin Sep 25 '12 at 12:25
  • let me put it simpler. If you had only an open_ssl aes-128-cbc encoded string and the decoded form of it could you find the IV? – matttt Sep 25 '12 at 13:37
1

What you describe would be a known-plaintext attack. Wikipedia claims that

Advanced Encryption Standard [is] not currently susceptible to known-plaintext attacks.

(but that some block ciphers may be affected by chosen plaintext attacks).

sourcejedi
  • 609
  • 4
  • 14