11

When using blowfish algorithm from openssl library, one can encrypt and decrypt any data.

Furthermore any data can be encrypted (decrypted) with any key\iv. There is no way in openssl to tell whether decryption was successful or not. It's just some mathematical transformation.

So, what should I do to be sure that encryption was successful: that some data was decrypted with same key/iv which it was encrypted?

Should I add some MAGIC bytes in front of data that should be checked after decryption?

Marko Kevac
  • 2,902
  • 30
  • 47

4 Answers4

7

You can add a checksum (for instance, MD5 of the original content) at the end of the file. After you decrypt it, the last 16 bytes must again be equal to md5(content-16 bytes)

naivists
  • 32,681
  • 5
  • 61
  • 85
  • MD5 can be used as a checksum function, since it has relatively low ratio of collisions. Of course, it's not a typical checksum function, but it's easy to calculate and it's quite fast (I know CRC is faster ;-) – naivists Dec 31 '09 at 11:30
  • @naivists: the point is that a "checksum" is a different beast from an "hashing algorithm". – jldupont Dec 31 '09 at 12:04
  • yes, that would be the way to go. If you want to be extra-secure, you could consider using MAC instead of a plain hash function, that would require an additional secret key to compute MAC of the data. – Kris Dec 31 '09 at 14:26
  • 1
    @Krsytian: There is a relatively new construct called Authenticated Encryption With Additional Data, or AEAD, which encrypts and MACs your data sort of all-in-one operation. See RFC 5084 and RFC 5116. – President James K. Polk Dec 31 '09 at 21:31
  • @jldupont: I don't think Checksums and Hashes are intrinsically differents. See http://stackoverflow.com/questions/460576/hash-code-and-checksum-whats-the-difference for a good discussion. – Philippe Beaudoin Jan 04 '10 at 03:22
1

Of the many possible solutions, maybe consider using a CRC.

jldupont
  • 93,734
  • 56
  • 203
  • 318
  • According to Wikipedia article, "an n-bit CRC, applied to a data block of arbitrary length, will detect any single error burst not longer than n bits". This means that I should use CRC with lenght same as my encrypted message? Because, as far as I understand, "error" in message decrypted with wrong key will most probably have maximum length (length of message). This seems not memory efficient. – Marko Kevac Jan 03 '10 at 16:41
  • no, e.g.: a 32bits CRC will detect any single-bit error **burst** no longer than 32bits **independent** of encrypted message length. In other words, it is very memory efficient. Hope this helps. – jldupont Jan 03 '10 at 22:34
  • Wait, wait, wait :-) If message was decrypted with wrong key, than error length will be same as message length, right? Because most probably every bit will be wrong. Right? Does it mean that error in message longer than 32bit will not be detected? Sorry for, maybe, stupid questions. – Marko Kevac Jan 04 '10 at 09:03
  • Even if the message differs 100%, a CRC can detect this situation. If you require a more mathematical confirmation, maybe you should consider asking the question on http://mathoverflow.com/ – jldupont Jan 04 '10 at 14:05
0

Magic bytes, checksums and encrypted encryption key all makes brute force attacks much easier as the attacker then only need to run through the 2ˆ256 possibilities where he can run the message through decrypt and look for that magic or the checksum or the key inside the decrypted data. It is much harder for him to break it if he has nothing to look for, meaning that he may break it and never realize it.

DusteD
  • 1,400
  • 10
  • 14
0

the checksum method at the end of the data is best I think, however it needs you to decrypt the entire content up to the end.

from this point of view, magic bytes at the beginning would be an advantage, because you can decide if decryption was successful at the very first block. however, one could argue that by inspection of your sourcecode, an attacker has a possible advantage (partially known plaintext scenario).

so what I did (finally within a productive software) was using the key itself for the first block (instead of using constant or predictable magic bytes). this results in the following additional knowledge for an attacker:

key = decrypt(ciphertext, key)

I didn't find a proof that this would be a useful hint for an attacker if you use e.g. AES. maybe someone knows more to this.

kleopatra
  • 51,061
  • 28
  • 99
  • 211
rkrenn
  • 1