3

I have a server which encrypts files with the same AES key. Users can upload a file and download its encrypted version. A user can upload as many files as he wants. Users can decrypt the documents via the server after a D date. A user may see an other user's encrypted document, but it would be a disaster if he could decrypt it before the D date!

I've read in other stack overflow post that using the same initialization vector can make chosen-plaintext attack easy. So I want to generate a different initialization vector for every uploaded file. Is it a standard secure way to add this IV to the encrypted document?

My first idea is that I encrypt it with a different AES key and simply concat it to the encrypted byte array. But I'd rather use a more standard solution for this problem.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
user1552545
  • 141
  • 4

2 Answers2

3

TL;DR: AES is safe against plain-text attacks.

If :

  • you do not reuse your IV
  • your IV are random
  • you use a correct mode of operation (not ECB...)

Then you are safe against such attacks (you need at least these 3 conditions to be met).

On a side note, IV can be public, it is not a problem.

Worth reading:

Community
  • 1
Biv
  • 9,979
  • 2
  • 39
  • 67
0

If you look at pretty much any of the many file encryption tools they are usually a hybrid system such as:

  1. Generate a new random key, $k$.
  2. Encrypt $k$ using some public key $p$: $w = Asymm_p(k)$
  3. Encrypt the message, $m$, using $k$ and a symmetric algorithm: $c = E_k(m)$.
  4. Throw away $k$ and $m$. Publish/send $c$ and perhaps $w$ depending on the situation.

This doesn't provide much, but it should provide confidentiality. When the date arrives the holder of the private key can decrypt $w$ and publish $k$.

Thomas M. DuBuisson
  • 1,874
  • 15
  • 19
  • 1
    Given AES security, and considering a decent IV (no reuse), IND-CPA is guaranteed. So no need to consider an asymmetric scheme such as this one. It make things more complex uselessly, thus more risk of mistakes... – Biv Jan 20 '17 at 22:06
  • @Biv This very much depends on how many encryptions and how much data is encrypted in the lifetime of his one key. This is why I asked my comment-question. – Thomas M. DuBuisson Jan 20 '17 at 22:14
  • Assuming a 256 bit key you are pretty safe. ;) – Biv Jan 20 '17 at 22:14
  • @Biv No you aren't. The issue here is IV collision not key collision. – Thomas M. DuBuisson Jan 20 '17 at 22:16
  • Then I guess you have a birthday after ... 2^64 encryptions. – Biv Jan 20 '17 at 22:20
  • Keep in mind we want far less than a 0.5 chance of such a failure, often about $\frac{1}{2^{48}}$, so we're actually talking about... something like $2^{40}$ depending on your level of concern. It's easier and safer to implement or use a well-studied hybrid technique than talk yourself into a weak system using probabilities. – Thomas M. DuBuisson Jan 20 '17 at 22:30