Re: [Cfrg] Encrypting a known short text
Natanael <natanael.l@gmail.com> Fri, 22 September 2017 16:57 UTC
Return-Path: <natanael.l@gmail.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCC6213454E for <cfrg@ietfa.amsl.com>; Fri, 22 Sep 2017 09:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ok_DqB-aTFNg for <cfrg@ietfa.amsl.com>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
Received: from mail-io0-x22a.google.com (mail-io0-x22a.google.com [IPv6:2607:f8b0:4001:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5AD4134545 for <cfrg@irtf.org>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
Received: by mail-io0-x22a.google.com with SMTP id l15so4439369iol.8 for <cfrg@irtf.org>; Fri, 22 Sep 2017 09:57:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PbpYZynJw++pJkBolnIkmMQYVgZrgjtpS5pg1oet/HA=; b=Hgh4qM+IwIcrUve0dLIvwnZarKMo4uJ+SlcSwf6ki2Jt57XT1loQJarkEbm0s8kreT QKY0qOnAcHGh/JWveBBVwZw/E1xQ6NI5p+avULZ7vpIPht5Rk2Bl00LyIDFsg3AxwYMO nfxywl5AtwPBlK4DMG4eKhvjafOUOUNNTWna3lZHmpr9XPio/+IA/eUgG7HhZSr6yQou hmhOp7yksOjKjS3JbIjh5VAshtu/IFFSYh1QQN0ONsqsDt0H3RgyAtMhK3JLEsBh1DEY 3iAtwG+RqfPqCFb6fg1BqPsGiWsBUoV6+U2kaGCMmCwbowSX3s6aFlYzoX9tiVScIYZl 4dXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PbpYZynJw++pJkBolnIkmMQYVgZrgjtpS5pg1oet/HA=; b=jbZROAbm3GwvStrhlWrM3VVAMP9tGToZzbqjT1XnAhgCuDRbZYzO/3YjokCmH5u7LR VjCv40uF90Q9YhJTGttKxtXT+dF3CITdELAnLxor7OK6bihy5x3GBY4uzppoPbdSwwFj TEKsFClXNJMF731P3j0Qt6iLeFmL8ZeokhDiegeECbGgyzKcIig68IbNxbHN1lyGcQzP J4uNgTyn4uHCjLxdbOrc4l7Z8+xKidL1nrav8Nk8CHXuviufoq+3j5hOq9BT0pl2e/6l IdIdn8RvUUjjviKqMJGssCvPw984remiGnM6nQA5f9eqKOezoOXGW7n4CwPTDU3EWf4T P4mg==
X-Gm-Message-State: AHPjjUg3cGQwlfaiygLRb0+S9savjzBNnseM+4FTg87O7FUQf29uckhe +DtGs4pPpHuKXp7/dzSM0T4Kc235IxDCsonIoMQ=
X-Google-Smtp-Source: AOwi7QA7ya4LlCA4OtHYl1UhN8xB37zV6TEAbrciNyRFMhmxaBtAJe/ukZAZsPsAs5AiuxY4zTmruttKEBb2NCbrQSI=
X-Received: by 10.202.218.69 with SMTP id r66mr6851097oig.250.1506099447961; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.58.39.156 with HTTP; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
Received: by 10.58.39.156 with HTTP; Fri, 22 Sep 2017 09:57:27 -0700 (PDT)
In-Reply-To: <003801d333be$9cfee670$d6fcb350$@x500.eu>
References: <003801d333be$9cfee670$d6fcb350$@x500.eu>
From: Natanael <natanael.l@gmail.com>
Date: Fri, 22 Sep 2017 18:57:27 +0200
Message-ID: <CAAt2M1_qJv7EPHoOVNsy+gVY8Ba+CvLtRsAD+w6kZwcfTk7Uow@mail.gmail.com>
To: Erik Andersen <era@x500.eu>
Cc: Cfrg <cfrg@irtf.org>
Content-Type: multipart/alternative; boundary="001a113d544497a0440559ca1a4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/fXz8GjIKnp_TZWIdIbtpRxlbg4w>
Subject: Re: [Cfrg] Encrypting a known short text
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Sep 2017 16:57:35 -0000
Den 22 sep. 2017 18:20 skrev "Erik Andersen" <era@x500.eu>: Suppose we have a protocol, where everything is encrypted. If the clear (short) text may be guessed by an attacker (it could be an ASN.1 NULL), do we then have a security issue, where the encryption key could be revealed? For modern ciphers and ciphermodes, the private key is never at risk even if both the plaintext message, the ciphertext and any nonce/IV are known. They resist known plaintext attacks. At best the adversary could use sidechannel leakage, metadata and size correlation to make a guess, but without the secret key or another form of verifier (like a hash of the plaintext, or similar derived data) they can't confirm it. For some contexts it may be a risk, like for "convergent encryption" in which the encryption key is deterministicly determined from the plaintext, for the purpose of deduplication in encrypted file storage. This is part of the security model of such systems, but the users may not always be fully aware that somebody can guess what files they have stored if the adversary have a full identical copy of the plaintext or can guess it. This would for example apply to leaked documents or honeypot documents being possible to detect if unmodified, where your file list could be compared against known files. But if you're a bunch of people using it to store your non-sensitive media collections, then there's no problem with it. For comparison, regular encryption have full resistance to known plaintext attacks. They also have ciphertext indistinguishability (the adversary can't tell which ciphertext came from which plaintext message, even if you know the full messages). Convergent encryption also resists known plaintext attacks in the classic definition (except for when the full exact message is known, wherein you can derive the key directly), but the scheme fails completely on ciphertext indistinguishability (you can always tell *what it isn't*, and sometimes also tell what it is).
- Re: [Cfrg] Encrypting a known short text Natanael
- [Cfrg] Encrypting a known short text Erik Andersen
- Re: [Cfrg] Encrypting a known short text Greg Rose
- Re: [Cfrg] Encrypting a known short text Michael StJohns