Author Topic: Encrypted file and unencrypted copy together, can password be calculated?  (Read 4597 times)

0 Members and 1 Guest are viewing this topic.

Offline InfravioletTopic starter

  • Super Contributor
  • ***
  • Posts: 1185
  • Country: gb
With classical ciphers if one had the plain text and the cipher text together then by comparing them, one could easily deduce the key, a "crib" attack in the case where part of the message was known. This was partly how enigma was cracked, by exploiting phrases that Bletchley park knew would be included within messages, such as one german observation post which sent almost every day a message "nothing to report", alongside using the fact enigma could never encrypt a letter as itself.

In the case of modern symmettric cryptography, does this still apply? If a file, and an encrypted copy of that file made with something like gpg's symmetric encryption (aes256) command, or a folder and an encrypted 7z (again aes256) copy of that folder are together, does calculating the key become possible? If not, why not? Remember, passwords often get reused, despite it being bad practice, perhaps much more often fro encrypting specific files than for login passwords, so if this weakness does exist than anyone who's ever encrypted a not-very-secret file and an attacker somehow sees both the original file and its encrypted copy, could work out the password and then use it to decrypt more private files for which the person may have used the same password as the key.

I'm not attempting to do this, it is well beyond my skill level or needs to actual reverse engineer a password from the "plaintext and ciphertext together" situation, but I would like to understand whether the existence of such a weakness is actually a serious possibility, or if something is done by gpg/7z/the underlying aes algorithm , to make it genuinely, or nearly, impossible.

Thanks
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 674
  • Country: fi
My understanding is that it's very hard. I'm not into cryptography or ciphers other than as a user, so I don't really have any deeper information. But this is a topic that has been discussed frequently, so searching gives some answers.

Here is one:
https://crypto.stackexchange.com/questions/1512/why-is-aes-resistant-to-known-plaintext-attacks/64079#64079
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4044
  • Country: us
No, all modern symmetric ciphers are designed to be resistant to this, so called "known plain-text attacks" and it's basically step one of the cryptanalysis for any new cipher.

In fact, ciphers are additionally expected to be resistant to "chosen plain text attacks" such that even if the attacker can trick you into encrypting maliciously chosen data and then revealing the encrypted ciphertext, the attacker still isn't able to recover they key much easier than brute force.

These analysis are usually done on reduced versions of ciphers with shorter keys and fewer rounds.  So generally they will talk about this as a security parameter: how much you have to weaken the cipher before there is a known attack. 

asymmetric ciphers (such as RSA) generally *do* have at least chosen plaintext attacks.  For instance, if you could get someone to encrypt "1" or "0" that might reveal the key.  This is one of many reasons why asymmetric ciphers aren't used by themselves, but only for key exchange.  The key can be chosen randomly and make sure it doesn't exploit known weak inputs.
 
The following users thanked this post: WillTurner

Offline InfravioletTopic starter

  • Super Contributor
  • ***
  • Posts: 1185
  • Country: gb
Thanks for clarifying that.
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 6587
  • Country: nl
Indeed nearly impossible (takes at this moment millions of years of attempts) unless the quantum computer is mature. Then all possible combinations can be done at once hence reducing finding the key quickly.

If the quantum computer will become mature and would be capable of doing this, then all encrypted messages from the past could also be decrypted almost instantaneous.
There are law enforcement agencies and national security agencies already storing as much encrypted content from criminals and opposing countries as possible in the hope they can soon decipher them with these new computers.

So there are now new quantum resistant encryption standards being developed.
Especially for government and military applications where the data could be sensitive in tens of years when made publicly this is a hot potatoe.
 

Offline InfravioletTopic starter

  • Super Contributor
  • ***
  • Posts: 1185
  • Country: gb
"If the quantum computer will become mature..."
It is my understanding that quantum computers are a threat to asymmetric (public key private key) crypto, because a public key exists from which they can derive the private key by quickly factoring a product into its constituent primes, quickly factoring in to primes with Shor's algorithm being the unqiue selling point of quantum cpmputers, and the reason we should all hope there is some unforeseen practicality which makes them unworkable at scale...

But for symmetric crypto, as this example discusses, I had thought a quantum computer could do nothing more than speed up the, very long, cracking times by a factor of 2, or 10, or something like that. A factor which is unwelcome, but against the many-orders-of-magnitude-more-than-the-age-of-the-universe brute-forcing time for symmetrc crypto with a decent key length, is still insignificant? Quantum computers threaten* the security of public-key private-key methods which are needed for parties who don't have a secure channel before they meet to exchange a secure key, they aren't predicted to have any effect on symmetric crypto for stored data?

*threatening not only future communications, but any which various sinister 3 and 4 letter agencies collect today in a capture-now decrypt-later attack if they should ever get their evil hands on a quantum computer able to work reliably at scale
 

Offline Bud

  • Super Contributor
  • ***
  • Posts: 7278
  • Country: ca
There are law enforcement agencies and national security agencies already storing as much encrypted content from criminals and opposing countries as possible in the hope they can soon decipher them with these new computers.
I'd like to see this proved but i am sure you wont be able to prove it, as this is just a conspiracy speculation. The economics of that is very much questionable.
Facebook-free life and Rigol-free shack.
 

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 7214
  • Country: fi
    • My home page and email address
There are law enforcement agencies and national security agencies already storing as much encrypted content from criminals and opposing countries as possible in the hope they can soon decipher them with these new computers.
I'd like to see this proved but i am sure you wont be able to prove it, as this is just a conspiracy speculation. The economics of that is very much questionable.
So, you claim that PRISM, RAMPART-A, Bullrun, TRAFFICTHIEF, and XKeyscore are "just a conspiracy speculation"?

Nah, mate.  I think you should do at least minimal research before making such ridiculous claims.
 
The following users thanked this post: bitwelder, Kjelt, tooki, SiliconWizard, golden_labels, pcprogrammer

Online pcprogrammer

  • Super Contributor
  • ***
  • Posts: 4685
  • Country: nl
There are law enforcement agencies and national security agencies already storing as much encrypted content from criminals and opposing countries as possible in the hope they can soon decipher them with these new computers.
I'd like to see this proved but i am sure you wont be able to prove it, as this is just a conspiracy speculation. The economics of that is very much questionable.

Can't remember how long ago and on which channel, but there was a documentary about how in the UK the overseas internet and telephone cables (fiber) are tapped to listen in on all the (internet) traffic passing by.

Lots of articles on the net about GCHQ doing this. One example: https://www.vpncompare.co.uk/uk-tapping-undersea-cables/

When needed they will store data as evidence for possible court appearance.

I'm not a conspiracy theorist, but do believe that governments and their agencies spy on all of us, and not per se for our best interest.

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 6587
  • Country: nl
There are law enforcement agencies and national security agencies already storing as much encrypted content from criminals and opposing countries as possible in the hope they can soon decipher them with these new computers.
I'd like to see this proved but i am sure you wont be able to prove it, as this is just a conspiracy speculation. The economics of that is very much questionable.
It is just happening. Everybody was shocked when Snowden revealed the practices of the NSA. Do not think one second that has stopped.
Privacy? The data is encrypted so no one can touch your privacy..... yet.

To give a real world example on small scale, the dutch police had years a problem. Criminals had encrypted cellphones and they texted eachother continuously.
Everything was stored and one day they were able to decrypt some messages then more and more. Article below is in dutch but it states that the police was able to de rypt one billion of the stored encrypted messages , could arrest 10000 persons world wide and were able to solve murders commited tens of years ago because the criminals were just talking about it because they thought they were secure.

https://www.agconnect.nl/business/security/ruim-miljard-ontsleutelde-chatberichten-zijn-goudmijn-voor-politie
 

Offline iMo

  • Super Contributor
  • ***
  • Posts: 5578
  • Country: va
I wonder where all that data get stored.. The storage manufacturers must be pretty happy about it.. :D
PS: there are many situations where it does not make much sense to decrypt some content as the info in it could be out of date, not useful/applicable anymore..
« Last Edit: June 12, 2024, 05:40:46 pm by iMo »
Readers discretion is advised..
 

Online radiolistener

  • Super Contributor
  • ***
  • Posts: 4143
  • Country: 00
No, all modern symmetric ciphers are designed to be resistant to this, so called "known plain-text attacks" and it's basically step one of the cryptanalysis for any new cipher.

But plain text presence allows to do brute-force in order to restore encryption key. It may take long time and many computational resources, but still much more easier than doing it without plain text  :)
 

Online radiolistener

  • Super Contributor
  • ***
  • Posts: 4143
  • Country: 00
Indeed nearly impossible (takes at this moment millions of years of attempts) unless the quantum computer is mature.

this is a naive delusion. There are too many examples of algorithms which were advertised as impossible to decipher and looked really strong from cryptographic point of view, saying it would take billions of years and all computers in the world. And then apparently you can find some tool which can restore key with just 60k samples using some cryptoanalysis tricks. And then after some time you can find tools that can do it with just 10-20k samples, and then just 1k or even 8.... With current computation resources this is almost on the fly. :)

COMP128 A3A8 is the most known example of that...
« Last Edit: June 27, 2024, 04:40:03 pm by radiolistener »
 

Offline Kjelt

  • Super Contributor
  • ***
  • Posts: 6587
  • Country: nl
Indeed nearly impossible (takes at this moment millions of years of attempts) unless the quantum computer is mature.

this is a naive delusion. There are too many examples of algorithms which were advertised as impossible to decipher and looked really strong from cryptographic point of view, saying it would take billions of years and all computers in the world. And then apparently you can find some tool which can restore key with just 60k samples using some cryptoanalysis tricks. And then after some time you can find tools that can do it with just 10-20k samples, and then just 1k or even 8.... With current computation resources this is almost on the fly. :)

COMP128 A3A8 is the most known example of that...
The reason why I stated "at this moment".
If a security issue will be found in the future or computational power increases exponential, or a mature quantum computer is released, all things in the future.
 

Online Nominal Animal

  • Super Contributor
  • ***
  • Posts: 7214
  • Country: fi
    • My home page and email address
Key derivation also plays a significant role.  Your passphrase provides most but not all information used to derive the actual key or initialization vector (depending on the cipher mode).  It is usually salted, and often some kind of nonce or counter is included to ensure that even though the same passphrase is used, the actual key or initialization vector differs, reducing the usefulness of and risk in comparing different files or messages encrypted with the same passphrase to their corresponding plaintexts.

Essentially, every encryption method we know is breakable, and the point is to make that as costly as possible: to take more CPU time than even the three-letter agencies have available.

After all, if someone really, really wants the data, they can simply grab you and either bribe you, drug you up, or threaten you or your close ones to force you to decrypt the data.  Governments are pretty ready to incarcerate you nowadays if you don't provide access; in particular, when entering a country you're not a citizen of.  Sometimes steganography –– hiding data –– is more valuable than plain encryption...
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 674
  • Country: fi
Obligatory

 
The following users thanked this post: tooki, JPortici, Nominal Animal

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1482
  • Country: pl
Rubber-hose cryptoanalysis doesn’t work against entire populations and is tamper-evident. :D

Regarding quantum computing: don’t treat it as a magical item, that gives +20 to speed. It doesn’t work this way. In particular quantum computers can’t do multiple calculations in parallel; not in the sense of word “calculation” used in other contexts.

A quantum system needs to be able to evolve in a way, that exploits particular properties of the problem in question. If the problem has no such properties known, a quantum computer is useless. Only a limited number of problems can benefit. Those are many important problems and there are many cryptographic primitives explotable with quantum computing. But it’s not like just any classical encryption is going to be broken. There is also a long route from the cryptography meaning of word “broken” to deciphering collected messages. It’s not that bad. :)
« Last Edit: June 27, 2024, 09:12:01 pm by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15829
  • Country: fr
Sometimes steganography –– hiding data –– is more valuable than plain encryption...

Yes. Well, strictly speaking, any "good" encryption scheme should not enable anyone to distringuish it from "random" data. At which point, no one can claim that you own encrypted data. You may as well just have a bunch of random or corrupted files, or some binary format that is proprietary and that no one has a clue what it is.
 

Online radiolistener

  • Super Contributor
  • ***
  • Posts: 4143
  • Country: 00
The reason why I stated "at this moment".
If a security issue will be found in the future or computational power increases exponential, or a mature quantum computer is released, all things in the future.

I suspect all cipher approved by NSA is already compromised just out of the box, otherwise they will not approve it  ;D

And they already using special FPGA based hardware with incredible computational power and optimized to for specific cipher algorithms.

The only thing that you can hope is that it is not available yet for a usual hackers, these toys for a big government mafia. :)
« Last Edit: June 28, 2024, 01:19:33 am by radiolistener »
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1482
  • Country: pl
(…) should not enable anyone to distringuish it from "random" data. At which point, no one can claim that you own encrypted data.(…)
Unless you can be jailed indefinitely under the suspicion of possessing encrypted data and not revealing the key to it.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15829
  • Country: fr
(…) should not enable anyone to distringuish it from "random" data. At which point, no one can claim that you own encrypted data.(…)
Unless you can be jailed indefinitely under the suspicion of possessing encrypted data and not revealing the key to it.

Which is impossible to prove. So that would be intimidation based on nothing tangible. That's actually a pretty interesting question.
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4044
  • Country: us
No, all modern symmetric ciphers are designed to be resistant to this, so called "known plain-text attacks" and it's basically step one of the cryptanalysis for any new cipher.

But plain text presence allows to do brute-force in order to restore encryption key. It may take long time and many computational resources, but still much more easier than doing it without plain text  :)

In practice it doesn't make a difference.  It's essentially always easy enough to tell the real plaintext from an incorrect description.  Usually there are predictable patterns in the first few bytes (message headers) but even if you have to brute for decrypt several blocks to check that's only ~10x harder.  And 10x is just not that much, considering that increasing the key size from 192 to 256 is expected to make brute force billions of times harder.  And if a significant weakness is found in the cipher that actually makes it feasible, then your 10x is mostly irrelevant anyway.
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4044
  • Country: us
Sometimes steganography –– hiding data –– is more valuable than plain encryption...

Yes. Well, strictly speaking, any "good" encryption scheme should not enable anyone to distringuish it from "random" data. At which point, no one can claim that you own encrypted data. You may as well just have a bunch of random or corrupted files, or some binary format that is proprietary and that no one has a clue what it is.

That's true of the ciphertext itself, but rarely in context.  Encrypted communication and storage almost always has metadata around it, either explicit or implicit to let the receiver know how to handle it. To be fair that's also true about traditional stenography, you  need to communicate out of band how to extract the data.  But the purpose of stenography is to give an appearance of normalcy sufficient to keep someone from bothering to look deeper.
 

Offline golden_labels

  • Super Contributor
  • ***
  • Posts: 1482
  • Country: pl
There is a third option, but very inefficient. Not using encryption at all: the secret is sent in plaintext, interleaved with its own inverse. Each bit receives its own authentication code, but only the right bits have valid codes. The recipient distinguishes the secret from its inverse by validating each bit separately. The adversary sees the secret, but can’t tell it apart from its own inverse.

The technique was developed to circumvent cryptography export bans. Since PGP achieved the same in a better way and the method itself is a performance nightmare, it’s not usually deployed. But it remains in the portfolio of available options.
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline helius

  • Super Contributor
  • ***
  • Posts: 3688
  • Country: us
Recovering a key from data both encrypted and decrypted is called a "known plaintext attack". Generally cryptosystems are designed to resist this type of attack, although it may sometimes be considered as a lower priority than some other attacks.

The reason that you want to resist known plaintext attacks is that there are some very common situations where the plaintext is known or predictable. If an attacker knows the format of the communications, much of the management information ("headers") are predictable. There are also situations (like with HTTP and HTTPS) where the same data can be sent encrypted or unencrypted. Being able to recover keys in these situations would make the cryptosystem worthless to protect secrets sent over the same channels.

The weak encryption in PKZIP archives is an example of a system that is broken using known plaintext attacks. It is weak because by guessing a few bytes in the beginning of the plaintext, the cipher can be inverted to recover the key.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf