1

Is this encryption method sensitive to weak keys? Is there any reference in the NIST on the AES key's entropy? (For example, must it have been generated from a TRNG?)

Can I safely use the Microsoft CAPI for key generation? (pseudorandom number generation)

Am I required to use true random number generation?

Patriot
  • 3,132
  • 3
  • 18
  • 65
Offir
  • 283
  • 1
  • 3
  • 5

1 Answers1

2

AES doesn't require uniformly distributed keys. However, if you have a key with less than 256 bits of entropy, then naturally your keyspace will be smaller than the maximum. Whether or not this is an issue depends on just how few bits you have. The only time a non-random key is bad for AES is when it's chosen very specifically to be harmful, in which case it can be used for a related key attack.

If your input is not uniformly distributed though, the standard technique is to pass it through a hash function like SHA-256 first, which compresses it to 256 uniformly-distributed bits. Or use a KDF.

forest
  • 15,253
  • 2
  • 48
  • 103
  • so prng is good enough without KDF? – Offir Jul 30 '19 at 10:08
  • is there any need for TRNG based key? – Offir Jul 30 '19 at 10:08
  • 3
    A non-cryptographic PRNG is not good enough. As any documentation will tell you, use a CSPRNG. – tylo Jul 30 '19 at 11:58
  • I don't understand the reasoning behind this answer. AES doesn't require uniformly distributed keys. - seems to depend on your definition of "require". Sure you can stick any string of bits of appropriate length into the spot labeled "key" and the algorithm won't raise an exception. But is that really what is meant by "require"? The only time a non-random key is bad for AES is when it's chosen very specifically to be harmful - If you expect security from the cipher, then surely choosing non-random keys is always bad? – Ella Rose Jul 30 '19 at 15:35
  • 1
    @EllaRose What I meant is that, if you use a non-uniform key with, say, 100 bits of entropy for 256-bit AES, you won't be getting under 100 bits of effective keyspace. Naturally if you give it a key so bad that it only has 30 bits of entropy, then your key is too weak in the first place, regardless of whether you use a KDF. – forest Jul 31 '19 at 04:52
  • @EllaRose it means AES makes use of all the entropy available in the key regardless of how it's formatted. A predictable key is predictable, and vice versa. Setting half the bits to zero in AES256 isn't notably worse than just using AES128. – Natanael Aug 02 '19 at 18:31
  • My point was on the definition of the word "require"; the algorithm can of course still process data using any given key, and in that sense does not "require" anything of the key ( save for appropriately sized keys). But there is an implicit "security contract", and "requires" would mean something different and less forgiving in that context. For example, see this answer by Squeamish Ossifrage. The relevant quote is in bold there: "If you have voided the contract of AES by using a nonuniform distribution on your keys, do not expect security." – Ella Rose Aug 02 '19 at 18:37
  • @EllaRose That's an odd comment from Squeamish Ossifrage. AES does not have any issues with nonuniform keys unlike, say, RC4. If you had 128 bits of entropy, you could key AES256 with that and pad the rest with 0s, or with 1s, or repeat the single 128-bit key twice, or double each bit. – forest Aug 03 '19 at 07:09
  • 1
    @EllaRose In particular, the attack Squeamish Ossifrage mentions is the well-known related key attack against AES256 and AES192, which require very carefully chosen keys. You aren't going to find a related pair of keys by accident. I'm not sure why they chose to state in bold that you shouldn't "expect security". – forest Aug 03 '19 at 08:34