Can an AES-256 key be generated for a large number of cribs?

Question

I have a question in regards to Ransomware type viruses. I know that a number of these viruses use the AES-256 algorithm to encrypt user's files using a randomly generated key. I work in IT support and I had one client the other week who had lost a large number of important files this way but one thing which struck me was that we were able to recover a large number of files via DropBox - about 500 files (~2gb worth of data) and because the virus only changed the extension it was clear which unencrypted file corresponded to which encrypted file.

What I was wondering is; with a large dataset like this where you have both the encrypted and unencrypted data would it be possible to calculate the encryption key for an AES-256 algorithm in a reasonable time? I don't know how these algorithms work but presumably you would have so much data available to compare that it should at least make the task considerably easier should it not?

I'm not intending to rid the world of ransomware but it just interested me!

Cheers,

Olly

don't those things use a random AES key for each file, then encrypt that random key with an RSA key? — Richie Frame, Feb 01 '16 at 10:50
We seem to be getting questions like this one with some regularity. Alas, the answer is always the same: if the virus writer didn't screw up somehow (and didn't get arrested and forced to surrender their private keys), you can't break the encryption. — Ilmari Karonen, Feb 01 '16 at 11:12

score 0 · Answer 1 · edited Apr 13 '17 at 12:48

0

Just the most basic research on this site would have told you, the answer is NO.

From all known cryptanalysis on AES, the answer is simply there are no useful plain-text attacks. (Which is essentially what your "cribs" are.

It's not going to be possible to break AES-256 in your clients scenario. Full key recovery is out the picture even with a terrible implementation, unless there's a weak way that key is stored. Finding the AES key on the computer itself (encrypted using more vulnerable techniques) is your only shot in hell.

edited Apr 13 '17 at 12:48

Community

1

answered Feb 01 '16 at 10:40

Iam Nick

540
2
12

Thanks for the link. This comment is most relevant I think: – Olly Lennox Feb 01 '16 at 10:44

score 0 · Answer 2 · answered Feb 01 '16 at 10:45

This the most useful post from Nick's answer so copying here:

Since no one really answered the question:

AES is only resistant to known-text attacks if you always use a different randomized initialization vector (IV) for every single message.

To oversimplify a bit, AES combines the Key with the IV to produce the cipher, and the cipher is rotated in blocks throughout the length of the message based on the previous block. So long as the IV is unique to the message (it needn't be secret), then not only can the Key not be recovered, but the knowledge of matching plaintext-ciphertext somewhere in a message provides no information about anything anywhere else in the message.

On the other hand if the Key and IV are reused between messages then the same plaintext will lead to the same ciphertext, so you can potentially decrypt a message using a sufficiently large corpus of known matching plaintext/ciphertext pairs, even without ever recovering the key.

It's discouraged to copy content around. If the answers on the linked question answer your question, you should confirm the duplicate. For the record, this is copied from here. — Artjom B., Feb 01 '16 at 10:57

Can an AES-256 key be generated for a large number of cribs?

2 Answers2