0

I have short (8-byte) messages which are effectively true random numbers, and I want to encrypt these messages with a (pre-shared) key....

I'm using AES-CTR for this purpose -- but with the SAME IV each time (which is seemingly contrary to best practice).... but since EVERY message that I'll encrypt with this key is unique, do I really have a security issue?

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
biosbob
  • 123
  • 3
  • 1
    How many messages do you have, at most, before you get a new key? – SAI Peregrinus Oct 27 '22 at 15:47
  • if my 8-byte random numbers are truly random, then i should (in theory) be able to use the SAME key 2**64 times.... in practice, i'll encrypt under 1000 random messages during the lifetime of this key.... – biosbob Oct 27 '22 at 16:35
  • 1
    Does this answer your question? Why must IV/key-pairs not be reused in CTR mode? – kelalaka Oct 27 '22 at 23:43
  • First of all, if you have space for it, then just use a mode of operation that has an IV. Otherwise you might want to look at an 64 bit block cipher (e.g. blowfish). You could use ECB mode. Or you could even use a modern cipher using Format Preserving Encryption. Much safer, only duplicates will show up. A key wrapping mode or AES-SIV would also work, but those will grow your ciphertext compared to the plaintext. – Maarten Bodewes Oct 30 '22 at 20:47

1 Answers1

2

Yes, this is an issue. Essentially you are encrypting each 8-bytes by XORing it with the same secret key. If we write $P_i$ for the true random 8-byte values, then the cipher texts are $C_i=P_i\oplus K$ for some fixed 8-byte value $K$.

Compromise of any one of the $(P_i,C_i)$ pairs will now compromise all of the pairs as $K$ can be recovered and the same $K$ is used for all pairs.

Moreover if there is any bias in your "effective" randomness, this will lead to bias in the cipher texts which in turn will reveal information about the corresponding plaintext.

Daniel S
  • 23,716
  • 1
  • 29
  • 67
  • make sense... but suppose i sent an incrementing counter in the clear with each encrypted message and that (unique) value was injected into the IV used by both parties, am i now back on more familiar ground???? – biosbob Oct 27 '22 at 16:44
  • 1
    Yes, this will produce a different $K_i$ for each $P_i$ and the block cipher should prevent an attacker from working out any relationship between them. You might want to worry about an active attacker modifying the ciphertexts (XORing some value onto the ciphertext would XOR the recovered plaintext by the same amount and would not be a priori detectable). – Daniel S Oct 27 '22 at 16:48