0

Here's a question. I have a file that have to be encrypted with strong cipher (I've choosen AES-CTR-128). I'm using MVC 2019 to compile C++ program. Firstly, I create RSA-2048 key pair (public and private), then I read all data from file to buffer (filesize ±300kb), encrypt with AES-CTR-128 buffer with data from file, encrypt key and nonce used for AES-CTR-128 (I'm using WinAPI function CryptGenKey() to create random key and nonce) with public key of RSA-2048 generated previously, write encrypted key and nonce to the end of file.

Is there any possibility to get original data if attacker don't know key+nonce and RSA-2048 private key?

I know that original text can be changed even if it was encrypted, but it doesn't matter. Also, I know that I can skip encryption of nonce, but... better it will be safe.

veter0
  • 21
  • 1
  • possible duplicate of Is encrypting a file with AES-CTR and then encrypting the AES key with RSA-4096 secure? – kelalaka Jan 14 '20 at 10:31
  • it's not an answer :( – veter0 Jan 14 '20 at 10:40
  • The link points to a question that kelalaka has answered, the question is basically the same as yours. – SamG101 Jan 14 '20 at 10:44
  • Two things: your RSA key size is about as small as I would still feel comfortable with, using RSA-4096 should be preferred. Furthermore, I would try and validate if your decryption exposes an RSA padding oracle attack such as the Bleichenbacher attack. You didn't specify the RSA padding mechanism, but I would recommend OAEP over PKCS#1 padding for most ops. – Maarten Bodewes Jan 14 '20 at 10:49
  • 1
    @veter0 Please indicate why you think that the question that kelalaka pointed out doesn't represent an identical question and answer for you. Even the attack I've pointed out is in there. What parts are you still unsure of? – Maarten Bodewes Jan 14 '20 at 10:51
  • The summary of the linked answer and comments is: This gives no assurance of integrity (in particular, CTR is malleable and that sometime is an issue) nor proof of origin (anyone with the public key can encipher anything). Also, encrypting the nonce is not needed; and the RSA padding is unspecified. That said, no, it is not known any practical way to get back at the original data if the RSA encryption is with proper random padding (and there's no error in code/library, or in the decryption device and code, private key does not leak, computers used are secure..). – fgrieu Jan 14 '20 at 11:00

0 Answers0