2

I'd like to create a simple file-cipher, which provides seekable encryption (so I can decrypt any part of the encrypted message, without the need of decrypt from the start).

Here's my current idea: I generate a 128-bit IV, that will be the first 16 byte of the encrypted file. Then I use AES CTR, and encrypt the file. The initial counter value is IV, then I increment it for each 16-byte block.

The source file is chunk based: each chunk is followed by its SHA256. My need is to be able to read each whole chunk securely. After a chunk decrypted, its hash will be verified.

Is this method secure (suppose that counter values don't overlap)?

Is there a better (more secure) method to achieve this?

Note: I choose to use 128-bit IV, because of the comment of Ilmari Karonen here.

geza
  • 333
  • 1
  • 2
  • 9
  • Are you updating data, or is it write-once? – CodesInChaos Nov 29 '17 at 21:27
  • @CodesInChaos: it is write-once. If the data is updated, then a new IV will be generated for the whole file. – geza Nov 29 '17 at 21:27
  • 4
    The big problem is the lack of integrity protection for partial reads. Also encrypting a hash is not a secure MAC. – CodesInChaos Nov 29 '17 at 21:28
  • @CodesInChaos: thanks for the response! As for your first concern, I've edited my question. I hope it is safe now to do partial reads (I'll always read a whole chunk from the file). About your second comment: what is the problem with encrypting a hash? Why isn't it secure? Is there a possible attack? – geza Nov 29 '17 at 21:36
  • Truncation is another attack to watch out for. @maarten I added the link later on. About the same time geza added their response. – CodesInChaos Nov 29 '17 at 21:54
  • @CodesInChaos: thanks, so this hash method has authenticity problems. Actually, I've just added SHA256 to verify integrity. Authenticity is not important for me currently. My main concern is that the encrypted data should remain unknown. Thanks for the comment about truncation: the source file has a header, which stores file size, so hopefully it is not a problem. – geza Nov 29 '17 at 22:07
  • With counter mode it is wise to make the chunks plus hash end on an AES block boundary. Otherwise out may be tricky to skip to the right chunk and you would need to generate part of the key stream for the block before and/or the block after. That could bee detrimental to security it'd exposing part of those chunks is security sensitive. – Maarten Bodewes Nov 29 '17 at 22:13

0 Answers0