-2

I am in need of an deterministic encryption algorithm I can use on social security numbers that i will store encrypted in a MongoDB and need to be able to search for them.

What I came up with is to use AES but purposefully gimp it using a un-changing IV. I just want to make sure I am not completely ruining the encryption and only doing what i need to do to enable searching.

To summarize, If you got a dump of the db with the SSNs encrypted as below, would you able to get the cleartext via some sort of attack without knowing the IV and Key? Would it help if i passed in the IV (instead of hard coding it) which would act as a second key?

this is a follow up to my other question

public class DeterministicAes
{
    //random 16 byte iv
    private static readonly string DeterministicIv = "YO9FhYEIpGd28mJNupCjvg==";

    public static string SimpleEncryptWithPassword(string secretMessage, string password)
    {
        if (String.IsNullOrEmpty(secretMessage))
            throw new ArgumentException("Secret Message Required!", "secretMessage");
        var key = Convert.FromBase64String(password);
        var iv = Convert.FromBase64String(DeterministicIv);
        var cipherText = EncryptStringToBytes_Aes(secretMessage, key, iv);
        return Convert.ToBase64String(cipherText);
    }

    public static string SimpleDecryptWithPassword(string cipherText, string password)
    {
        if (String.IsNullOrEmpty(cipherText))
            throw new ArgumentException("Secret Message Required!", "cipherText");
        var cipherTextBytes = Convert.FromBase64String(cipherText);
        var key = Convert.FromBase64String(password);
        var iv = Convert.FromBase64String(DeterministicIv);
        return DecryptStringFromBytes_Aes(cipherTextBytes, key, iv);
    }

    //Credit: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aes?view=netframework-4.7.2#examples
    static byte[] EncryptStringToBytes_Aes(string plainText, byte[] key, byte[] iv) {}

    static string DecryptStringFromBytes_Aes(byte[] cipherText, byte[] Key, byte[] IV) {}
}
josh
  • 1,231
  • 1
  • 12
  • 28
  • 1
    What is the exact question here? If it works then it works. Ask if it's safe on the security site. – H H Mar 14 '19 at 15:20
  • I think the question is. If @josh uses the same initialization vector (IV) each will the encrpytion be deterministric... In response, I think the IV and the key need to be constant for it to be deterministic – Glenn Ferrie Mar 14 '19 at 15:22
  • 1
    What exactly is your use-case? I've written three versions of this comment, but they all just come down to "what are you trying to do, and why?" There may be a better solution (compared to your current plans) – Flydog57 Mar 14 '19 at 15:24
  • So... if you encrypt the same string hundreds of times, do you get different results? Isn't just that the answer to your question? – Andrew Mar 14 '19 at 15:26
  • yes my solution currently works. the question if you got a dump of the db with the SSNs encrypted as above, would you able to get the cleartext via some sort of attack without knowing the IV and Key? @Flydog57 see [here](https://stackoverflow.com/q/55135707/411094) for the use case – josh Mar 14 '19 at 15:31
  • 1
    Well, if I get my hands on your encryption key and you are using the same IV for every record, I can now decrypt your entire database of SSNs. I can't do that if you vary the IV per record. I'd have to work on cracking each record. This is the point of the IV. It makes it harder to get *everything*. –  Mar 14 '19 at 15:31
  • what's with the downvote? seems like a fair question to me. there are many posts about deterministic encryption on this site – josh Mar 14 '19 at 15:35
  • You already have comments hinting at the downvote. You have "what is the question", "what is your use case", and a suggestion to ask this on [security.se]. –  Mar 14 '19 at 15:38
  • @amy if i had a changing IV, would'nt i need to store the IV with the cipertext in order to decrypt it later? similar to what is done [here](https://stackoverflow.com/a/10366194/411094) (IV is prepended to ciphertext then pushed through HMAC) – josh Mar 14 '19 at 15:40
  • 1
    Yes, you would store the IV alongside each encrypted record. –  Mar 14 '19 at 15:41
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/190029/discussion-between-josh-and-amy). – josh Mar 14 '19 at 15:41
  • 3
    "I am not completely ruining the encryption" - do you understand **why** we usually use different IV values? If so, why do you think *your specific use case* warrants varying your code *away* from standard usage? If you don't understand why, stop. – Damien_The_Unbeliever Mar 14 '19 at 15:42
  • So, as I understand it, you want to store encrypted SSNs in your DB, but also allow someone to take an SSN, encrypt it using the same algorithm and key (and IV or whatever the encryption alg takes) and search the DB for a matching encrypted value. I'm assuming you are going to use the same Key for all of the records. Could you make the IV a function of the value (say a hash of the SSN, truncated to the right length). But, I'm not a crypto guy - I may have completely compromised your design. – Flydog57 Mar 14 '19 at 16:26
  • Yes, using a fixed IV would make your encryption deterministic, but that is not a good thing. It will not completely ruin the security but it will definitely downgrade it. The IV is not a secret value and it can not act as a second key. You can decrypt your data (except the first blck) even without the IV. Just create a random IV each time and store it next to the ciphertext. – t.m.adam Mar 14 '19 at 16:33
  • @t.m.adam yes i know i am weaking AES and it is not a good thing, but it is a requirement to make it text-searchable. Do you have a suggestion on another encryption scheme that is recallable and searchable? – josh Mar 14 '19 at 17:36
  • Sorry no; but how would a deterministic algorithm make the ciphertext searchable? Wouldn't you have to decrypt it eitherway? – t.m.adam Mar 14 '19 at 17:53
  • @t.m.adam if 111223333 encrypts to the same value every time, i can search for the same ciphertext in the database and if found, i know that that ssn exists in the db – josh Mar 14 '19 at 17:56
  • @Flydog57 i think you might be onto something. i'll work on it more today. – josh Mar 14 '19 at 18:02
  • Hmm.. yes, in this case the IV is a problem. All AES modes require an IV/nonce, except ECB but it may be worse than CBC with a static IV. – t.m.adam Mar 14 '19 at 18:05

1 Answers1

1

Went with AES-SIV as suggested and kindly explained on the Crypto sub-site

josh
  • 1,231
  • 1
  • 12
  • 28