0

I want to start off by being very clear: I'm not designing a system around this, this is 100% a hypothetical I was toying with.

Is there any harm in using the cryptographic hash of a plaintext as the key? For instance, if my message was Hello, world!, that produces the SHA256 315f5bdb76d078c43b8ac0064e4a0164612b1fce77c869345bfc94c75894edd3. Is there any weakness in using this as a key?

If my system used a pre-determined set of messages, then I can clearly see the attack: hash all the messages, and try them all as keys.

So questions:

  1. Is there any immediate weakness (assuming the messages I'm sending aren't pre-canned)?
  2. Is using a nonce enough to overcome any weakness when using AES?
  3. If not using a nonce, is it still viable?
John Smith
  • 1
  • 3
    Is this a cipher (that is, one in which the receiver is expected to decrypt)? If so, how does the receiver get the key? – poncho Mar 28 '22 at 20:30
  • Does that matter? I'm not being snarky, I'm legitimately curious if that affects the answer. Can we just assume that's a separate problem? Let's say I hand the receiver the key/hash written on a piece of paper (i.e. abstract the problem away) – John Smith Mar 28 '22 at 20:32
  • 1
    Does this answer your question? Is Convergent Encryption really secure? – kelalaka Mar 28 '22 at 22:07
  • Today's requirements for encryption is at the very least "IND-CPA". Which this fails. So in terms of encryption, this doesn't work. As a hash function, it's probably fine. – tylo Mar 29 '22 at 04:32

1 Answers1

1

The biggest issue is of course that you would need to know the message to be able to decrypt it.

Is there any immediate weakness (assuming the messages I'm sending aren't pre-canned)?

Pre-canned is too loose a term. If an adversary can guess the plaintext in any way then the key would become known. The security of AES would be downgraded if the entropy in the message is lower than the key size.

Note that it is assumed that the adversary knows the hash function used (the Kerckhoff principle), so no security can be gained from that.

Is using a nonce enough to overcome any weakness when using AES?

AES doesn't use a nonce. Cryptographic schemes and block cipher modes of operations such as GCM may use a nonce. However, a nonce doesn't remove any other vulnerabilities of the scheme or mode of operation. Having a nonce may be a pre-condition for a specific scheme or mode of operation, but that's about it.

If not using a nonce, is it still viable?

No, it is not a good idea.

Possibly you would need to take a look at password based key derivation functions instead (PBKDF functions, also known as password hashes). These provide healthy things such as a salt and work factor / iteration count. The salt is probably the kind of nonce-usage that you are looking for, and the work factor makes it harder to guess the message.

Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313