Geek Answers Handbook

AES decryption fails if password is incorrect

I wrote my own encryption method using AES in a project that I recently worked with PyCrypto. I use a hash to generate a 32-byte password and serve, which is used to encrypt AES-256bit using CBC. File input is populated using PKCS # 7 add-on to match divisibility by 16.

I can encrypt and decrypt the file without incident, and the source file encrypted with the output file has the same SHA-256 hash.

The only problem that I find is that if I put the wrong passphrase, decryption will happen anyway. This is a problem for what I am doing, because I need the decryption to complete quickly if the passphrase is incorrect.

How can i do this? I have heard of other AES encryption methods, but it seems that PyCrypto only supports ECB, CBC, CFB, OFB, CTR and OpenPGP. How can I implement a cryptographically strong AES that cannot decrypt without the correct passphrase?

+4
source share
3 answers

There is nothing in AES (or any other encryption algorithm) that could let you know if you have the correct key. However, this is a very useful feature when you really want to use cryptography outside the realm of mathematics.

What you need to do is add a block with a known value at the beginning of your message, so after decrypting the first block, you can compare it with a known value and find out if you have the wrong key. If the data you encrypt has a known header, you can use this instead.

Alternatively, you can send a cryptographic hash (for example, SHA-256) of the key along with the message, an attacker can recover the key only if it can break the hash.

+1
source

The best way to make sure your encrypted text will not be decrypted when it has been modified is to add an authentication tag. An authentication tag is used to ensure the authentication and integrity of ciphertext.

This tag can consist of a MAC (for example, AES-CMAC or HMAC using SHA-256) in encrypted text. However, this requires a second key.

Another method is to use authenticated encryption such as GCM. GCM uses a single key and generates an authentication tag (size can be customized).

Make sure you are using a properly generated IV. IV may be a prefix for the ciphertext and should be included when calculating the authentication tag), and do not forget that the size of your plain text may not be hidden.

You must verify that the tag is correct before decrypting the ciphertext.

Please note that in general, you should not encrypt passwords unless you need access to the exact password later. To verify passwords, use PBKDF2 instead.

+4
source

To provide the required fail-fast property, you need to add a header to the encrypted data. I suggest using a random "confounder" nonce (similar to a cryptographic salt ) combined with a known constant magic number "; the presence of an accomplice, like salt, provides a measure of protection against attacks based on pre-computed tables.

With such a title, you only need to decrypt the title and check the magic number field; if it does not match a known constant, the key does not fit. If it matches, drop the header and process the rest of the input.

0
source

More articles:


All Articles