How to detect block cipher mode

Question

How to detect if a message was crypt by CBC or ECB mode?

I have made a function who encrypt in AES 128 CBC or ECB randomly, and I do hamming between clear text and cipher text, but seams not correlated to cipher mode.

How can I detect the block cipher mode?

Thank you in advance

If it is only your code doing both encryption and decryption then you can add an extra byte e.g. 0 or 1 depending on cipher mode and check that before processing the payload. Other option you could try is first try cbc if that fails try ecb while decrypting. — Bimalesh Jha, Jun 29 '13 at 16:49
I'm afraid that if there are no distinguishing elements in the plain text or cipher text that you cannot *reliably* detect the block cipher mode. The blocks are meant to be indistinguishable from random. Fortunately the plain text normally isn't. If you did use CBC mode then you should have used an IV, so the IV could be the distinguishing feature. That said; why the *heck* would you encrypt with CBC or ECB randomly??? — Maarten Bodewes, Jun 30 '13 at 23:35
It's on a cryptography exercice. The aim is to detect cypher mode, so I made a function who use randomly CBC and ECB to test my detection function. — Xantra, Jul 02 '13 at 06:48

score 11 · Accepted Answer · answered Dec 21 '13 at 21:35

11

The answer is pretty much given in the problem statement:

Remember that the problem with ECB is that it is stateless and deterministic; the same 16 byte plaintext block will always produce the same 16 byte cipher text.

Thus, with the assumption that some repeated plaintext blocks occur at the same ciphertext block offsets, we can simply go ahead and look for repeated ciphertext blocks of various lengths.

answered Dec 21 '13 at 21:35

crishoj

5,660
4
32
31

1

One more thing to note is that the key length of AES-ECB is 128 bits(16 bytes). Not knowing this (obvious to some) fact will make you run around in circles like I did! – tejaswi prakash Jan 28 '23 at 05:52

RedDeckWins · Answer 2 · 2017-05-12T17:49:00.220

2

I am doing the same problem set and just finished this problem (using clojure).

My first hint is, it will be more clear what you need to do if you are using a language which supports first class functions/lambdas.

Anyways, let's break down the problem a bit:

First, just write a function which validates that a blackbox is encrypting data with ecb. How would you do this?

It might look something like (pseudocode below)

function boolean isEcbBlackbox(func f) 
{   //what input can I use to determine this?
    result = f("chosen input")
    if(result ...) {//what property of result should I look for?
        true
    } else {
        false
    }
}

Remember, the key weakness of ECB is identical blocks of plaintext will be encrypted to identical blocks of ciphertext.

EDIT: The challenges are now public, so I will link to my solution(s):

https://github.com/dustinconrad/crypto-tutorial/blob/master/src/crypto_tutorial/lib/block.clj#L118

edited May 12 '17 at 17:49

answered Jul 03 '13 at 20:40

RedDeckWins

2,111
14
16

2

I now actually feel really stupid... I suppose the question never told you what type of text to encrypt, entering a certain type of text makes this exercise really really easy, I already have a function that will do this from when I did the detecting repeating xor exercise... – Garry Welding Jul 04 '13 at 07:33
Yeah, that last sentence may be the only distinguishing feature you can use on the ciphertext of course. – Maarten Bodewes Jul 07 '13 at 00:31
From my understanding, in this challenge, the "blackbox function" is not available for evaluation with arbitrary input. Only selected, pre-computed ciphertexts are available. Thus, doing this sort of higher order function evaluation won't be of much use. – crishoj Dec 21 '13 at 21:30
So I intentionally broke the problem down to a simpler sub-problem, to help him understand the underlying concepts. Once you grasp this concept, applying it to fixed input is a shorter leap. My feeling is you learn a lot less if you are spoon-fed the result than if you arrive at it yourself, even if the route is somewhat circuitous. – RedDeckWins Jul 08 '14 at 20:48
@RedDeckWins if he's going through the challenges one by one, then he already implemented your "hint", as that is exactly one of the earlier challenges... – fstd Aug 23 '14 at 02:37
The challenges are now public, so I have linked my solution in the answer. – RedDeckWins Aug 23 '14 at 04:02
@RedDeckWins Are we supposed to decrypt the line after we identify it, or just identify it? The instructions say: "Detect it." and nothing else. – x0a Jun 25 '18 at 05:24
@x0a this confused me too. But unless I am missing something, even if you could detect it, wouldn't you still need the key to decrypt it? – adam tropp Feb 17 '19 at 20:00

score 0 · Answer 3 · answered Feb 02 '18 at 03:50

compute block size based on cipher text % 16 or 24 or 32 which ever is == 0

hamming distance should be done by cipher block 1 with rest of the cipher blocks

if we average to per byte using floating point arithmatic, if the value is below certain threshold then it is ECB.

score -2 · Answer 4 · answered Jul 02 '13 at 09:26

-2

I know the exact exercise you're doing, I'm currently doing it right now myself. I would recommend doing Frequency Analysis on the encrypted strings (don't forget the string might be base64'd or hex). If you get back a frequency distribution that matches the language of the string you encoded then it's safe to assume it's in ECB, otherwise it's probably CBC.

I don't know if this will actually work as I'm just doing the exercise now, but it's a start.

EDIT:

I rushed this answer a bit and feel I should explain more. If it's been encrypted in ECB mode then the frequency analysis should show a normal distribution style regardless of any padding to the start/end of the string and key used. Where as encryption in CBC mode should have a very random and probably flat distribution.

answered Jul 02 '13 at 09:26

Garry Welding

3,599
1
29
46

Ok, I understand. I have privoiously try somthing little bit different, I have try to annalyse the distribution of hamming results between each plain blocs and cipher blocs, but give no interesting results, strange because not irrelevant. – Xantra Jul 03 '13 at 15:06
I don't think a frequency analysis on the encrypted string will get you much. AES completely transforms the content of the block. See https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#High-level_description_of_the_algorithm. The key weakness of CBC is identical blocks of plaintext will be encrypted to identical blocks of ciphertext. – RedDeckWins Jul 03 '13 at 17:32
1

After reflection, I'm not very sure that your proposition can works, because of 16 bytes block size. If 1 bit in an input block change, the cipher bloc will be totally different (same in CBC and ECB). So frequency analysis on bytes value frequency have no sense!? I'm right or wrong? – Xantra Jul 03 '13 at 17:35
Sorry, I meant ECB, not CBC above – RedDeckWins Jul 03 '13 at 17:40
2

Yeah, forget my answer. Tried it, FA doesn't work. I have also tried doing chi-squared and monte-carlo to test for true randomness but as expected, with it being AES, it passed both of these tests too. I emailed today for some help on this challenge. I got back the following response: "If this wasn't clear, you can choose input to the oracle."... Needless to say it didn't help at all. – Garry Welding Jul 03 '13 at 19:09
2

@GarryWelding, that is a useful hint. – RedDeckWins Jul 04 '13 at 01:49
2

Ho yes now I undersand, it's realy easy, I have made too complicated study, and the answer of the staff is very helpfull. – Xantra Jul 06 '13 at 10:30
I think you might be on the right track but you want to convolve the cipher text against itself at a hamming level. – Jeff Feb 15 '16 at 19:39

How to detect block cipher mode

4 Answers4