0

This is entirely hypothetical, I'm working on securing some data and I want to make sure we do this properly.

If I have a list of information which is encrypted (say, using a 256 bit encryption key) and by chance somebody gets their hand on the list.

In this case, they do not know what the encryption key/method is or any of that. The only thing they know is that X value is equal to "some string".

Using this, I assume they can reverse engineer and find out what the rest of the information is.

What can I do to prevent (or greatly diminish the risk of) them being able to reverse engineer the encrypted data. If I use a longer key, would that make a difference?

mentallurg
  • 2,611
  • 1
  • 16
  • 22
Welz
  • 101
  • 1
  • 1
  • 5
  • So much hypothetical. How do you store the encryption key? Do you need to process the encrypted data like query ( since you talked about date)... – kelalaka May 11 '20 at 22:42
  • @kelalaka sorry, that was a typo - meant data. Assume that the key is stored in a handwritten note (or anywhere offsite) and the only way to access the data is to type in that key (more like a password). – Welz May 11 '20 at 23:11
  • to answer your question, yes the data would be frequently accessed (decrypted in order to be viewed in plain text). My biggest concern is what happens if someone gets their hand on this encrypted file and and knows what one (or more) of the values are and can then reverse-engineer to figure out the rest. – Welz May 11 '20 at 23:19
  • Use AES-256 with AES-GCM with LFSR/Counter IV or use ChaCha20-Poly1305. There are lots of Q/A on this site for the impossibility. For example, see Has AES-128 been fully broken?. Please edit your question into specific question. – kelalaka May 11 '20 at 23:20
  • 3
    Also, This is Cryptography, we don't rely on the assumption that the adversary has no knowledge of the encryption methods. We only assume that the key is secret. See Kerckhoffs's principle. Your reverse engineer is unclear. Reverse engineering is used where there is some software/hardware implentation that needs to be determined. That is always possible with enough time and money if there is no encryption over some part. – kelalaka May 11 '20 at 23:45
  • @kelalaka I agree with this Kerkchoff principle, this is what I'm trying to find out. Assuming the key is the only thing that I've managed to protect and keep secret, what are the actual risks of somebody being able to decrypt the information. – Welz May 12 '20 at 00:40
  • @WELZ: You have big risks if you implement some known encryption algorithm by yourself. You have huge risks if you try to implement your own encryption algorithm. That's why pick up some standard algorithm (ThreeFish, ChaCha20, AES) and some standard library that implements it. – mentallurg May 12 '20 at 03:38
  • 1
    @WELZ: What are the risks to decrypt? Brute-forcing one of these algorithms with 128 bit key using the whole computer power in the world will require more time than the Universe exists. They are considered as non-breakable. So actually you should pay more attention to the following: 1) Is your password/key random or not? 2) How do you keep the password? 3) How secure is your device? Do you use antivirus? What users have what permissions on your device? Do you regularly install all updates and patches? Do you check software that you install on your device? Etc. – mentallurg May 12 '20 at 03:43

0 Answers0