1

I'm using microsoft visual studio 2019 c++. I have aes-ctr-128 implementation.

Encryption process:

  1. Generate key pair for aes-ctr-128 using CryptGenKey() function
  2. Encrypt whole 16000 bytes array using key\nonce that was generated previously
  3. Encrypt key and nonce with RSA master key
  4. Write encrypted key\nonce in "key.txt" and "nonce.txt"

Decryption process:

  1. Read encrypted key\nonce
  2. Decrypt encrypted key\nonce with RSA master key
  3. Decrypt whole 16000 bytes array using key\nonce that was decrypted from file

The question is: does this algorithm provide secure encryption process?

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
dr.computer
  • 73
  • 5
  • Well, secure to use is really depends on the use case. What are you planning with the data? If you want to send over the network you must use HMAC or all together AES-GCM. How do you store the key? There are lots of questions to be determined to get a proper answer. Simply tell your use case. Maybe you need something like CryptoBox of libsodium. – kelalaka Jan 05 '20 at 16:52
  • no, just store on disk, even if attacker is able to change data - it's nothing – dr.computer Jan 05 '20 at 17:14
  • no, i ask about aes-ctr-128. will it be secure? – dr.computer Jan 05 '20 at 17:17
  • why it won't be? – dr.computer Jan 05 '20 at 17:19
  • 1
    Huge problem with the question is that it asks if a protocol is secure without a definition of "secure". And there is no single definition of "secure" in cryptography. Many, arguably most applications of cryptography require the receiver to be sure that the message is from the intended sender, and un-altered. The present protocol gives no insurance about that. At best, it gives confidentiality under CPA. – fgrieu Jan 05 '20 at 17:25
  • i don't know how to correctly ask the question. I mean, if I will encrypt like this, is it possible to decrypt if no one know master private key? – dr.computer Jan 05 '20 at 17:31
  • If the data is valuable then why don't you consider integrity and authentication? If not then why do you encrypt it! – kelalaka Jan 05 '20 at 17:35
  • Because my laboratory work don't need it. – dr.computer Jan 05 '20 at 17:39
  • @Hersgori: The resources needed to brute-force it depend also on the length of your RSA key. If you use 1024 bit RSA, this is about 80 bits. So the strength of the scheme will be not higher than 80 bits. – mentallurg Jan 05 '20 at 17:39
  • im using rsa 4096 for this one – dr.computer Jan 05 '20 at 17:42
  • @kelalaka: To integrity and authentication: There can be many valid use cases when it has no value for an attacker to modify encrypted data in particular way, where is it always means more or less considerable resources needed to do that. – mentallurg Jan 05 '20 at 17:44
  • @mentallurg I've asked use case and firstly responded even if attacker is able to change data - it's nothing then now it is laboratory work, so if an attacker changes the data the laboratory work will result in incorrect and we will call it science. I've already proposed to use VeraCrypt that handles OP's need. – kelalaka Jan 05 '20 at 17:52
  • the question still there. is it possible to decrypt data without knowing rsa private key – dr.computer Jan 05 '20 at 18:01
  • @kelalaka: Yes, VeryCrypt would be fine. – mentallurg Jan 05 '20 at 18:01
  • @Hersgori: The strength of RSA-4096 is estimated as 140 bits. The weakest element in your scheme AES-128. Then you should change your question to Ho much time is needed to brute-force AES-128? See this answer: https://crypto.stackexchange.com/questions/48667/how-long-would-it-take-to-brute-force-an-aes-128-key. It makes sense of course in ideal case only: if there are no side channel leaks, if you are using good PNRG, etc. – mentallurg Jan 05 '20 at 18:37
  • @mentallurg I've said that I'm using CryptGenKey(); – dr.computer Jan 05 '20 at 18:51

1 Answers1

4

First of all, CTR mode is an archaic mode of operation that only provides you confidentiality. In modern standards, we use Authenticated Encryption (AE) modes like AES-GCM or ChaCha20-Poly1305. AE provides you confidentiality, Integrity, and authentication in a bundle.

There is no need to encrypt the IV. They are never designed to be encrypted. They provide probabilistic encryption that is very useful if a key is used more than once.

To encrypt with RSA-4096 you need a proper padding scheme like PKCS#1.5 or OAEP. The latter, OAEP, is better since the former has more issues. Once you use proper padding you are fine (not exactly). Note that RSA is totally broken if someone is able to build Shor's algorithm with enough Q-bits.

It is not clear how are you going to keep your RSA-private keys safely. Is it turning into a chicken-egg problem? Another problem is what if someone plays with the key.txt file. Alas, you can no longer access your files! You need backups.

In these kinds of problems, we prefer passwords based key derivation function like PBKDF2 or Argon2id. Have a good password and derive the encryption key with good parameters and from there encrypt with a AES-256-GCM [*]. It actually uses CTR mode inside. You will only get an additional tag this is up to 128-bit storage overhead and this is nothing compared to your file size. The speed lost, see yourself below from the OpenSSL speed tool.

$openssl speed -evp aes-256-ctr
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-ctr     474901.33k  1490379.07k  2337490.52k  3131689.64k  3592602.97k  3086712.83k


$openssl speed -evp aes-128-gcm
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes  16384 bytes
aes-256-gcm     435559.37k  1178543.34k  2184926.89k  3160146.94k  3705495.55k  3713903.27k

In the end, a Veracrypt may be good for you. Have a good password, generate it with diceware or Bip39 then you will have a good entropy. Use it while creating your volume.

  • Diceware passphrase has an entropy around

    • A five-word has 64.6 bits
    • six words have 77.5 bits
    • seven words 90.4 bits
    • eight words 103 bits
    • nine words 116 bits
    • ten words 129 bits.

  • Bip39 creates $\approx 2^{263}$ with 256 coins tossing and selecting 24 words.

And, don't forget to back up your files.

[*] Since we talked about Shor, we have to consider Grover, too.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • Other than bad implementations leading to side-channel attacks, PKCS#1v1.5 with random padding of sufficient length should be just as secure as OAEP (or KEM, for that matter). From a cryptographic PoV, it's fine. – forest Jan 06 '20 at 07:13