没有 IV 的 AES CTR - 多条消息的相同密钥 - 安全吗? [英] AES CTR without IV - same key for multiple messages - safe?
问题描述
我想用js制作一个可以加密明文的网页,这样我就可以将它发送给朋友,他们将使用相同的网页来解密它.
I want to make a web page in js that will encrypt plaintext, so I can send it to friend, who will use the same web page to decrypt it.
我们将共享相同的密钥并将其用于多条消息.
We will share the same secret key and use it for multiple messages.
我知道使用 AES CBC 时 - 每条消息都需要随机 iv,但我喜欢使用 AES CTR.
I know that when using AES CBC- there needs to be random iv for every message, but Id like to use AES CTR.
我将使用 256 密钥,而不是密码.
I will use 256 key, not password.
我有两个问题:
- 我可以在 CTR 和 iv 没有的情况下多次使用相同的密码吗?
- 如果我将使用 CBC,以明文形式与加密消息一起发送 iv 是否安全?
我正在使用 aes-js 和基本的常见操作模式:
I'm using aes-js and basic common modes of operation:
https://github.com/ricmoo/aes-js#ctr---反推荐
https://github.com/ricmoo/aes-js#cbc---cipher-block-chaining-recommended
我想要最好的安全性.
推荐答案
首先,没有没有 IV"的 CTR 或 CBC 这样的东西.您可能只是使用全零作为 IV.总是有一个IV.(CTR 称其 IV 为随机数.)
First, there is no such thing as CTR or CBC with "no IV." You are likely just using all zeros as the IV. There is always an IV. (CTR calls its IV a nonce.)
CTR 必须永远,永远重用 nonce+Key 对.它可以完全破坏加密.这是避免点击率的主要原因,除非您知道自己在做什么.它很难正确使用并且具有可怕的故障模式.(WEP 现在被认为完全失效的事实与这个问题密切相关.) 我并不是说正确使用时点击率不好;我是说小错误是灾难性的.
CTR must never, ever reuse an nonce+Key pair. It can completely destroy the encryption. This is a major reason to avoid CTR unless you know what you're doing. It is difficult to use correctly and has horrible failure modes. (The fact that WEP is now considered completely broken is very closely related to this question.) I'm not saying that CTR is bad when used correctly; I'm saying that small errors are catastrophic.
CBC 应该永远不要重复使用 IV+Key,但它没有那么具有破坏性.这是 CBC 是非专家非常好的选择的一个主要原因.即使使用不当,它也是相对安全的.然而,重用 IV+Key 对会带来两个主要问题:
CBC should never reuse an IV+Key, but it is not as devastating. This is a major reason that CBC is a very good choice for non-experts. Even when used incorrectly, it is relatively secure. Reusing the IV+Key pair, however, introduces two major problems:
- 将前 16 个字节暴露给解密,如果两条消息具有相同的前缀,则暴露更多块.
- 以相同的方式加密相同的消息(并且相同的前缀相同).这间接泄露了有关消息的大量信息.
非常适合非专家的标准结构如下:
The standard construction, well suited to non-experts because the tools are readily available on many platforms and relatively easy to use correctly, is as follows:
Random IV + CBC-ciphertext + HMAC
IV 不是秘密.将其与消息一起发送是标准且正确的.IV 只能是攻击者不可预测的.只要攻击者无法预测(或控制)IV,即使是偶尔的重用也泄漏很少的信息.显然,如果它总是为零,预测它是微不足道的.
The IV is not secret. It is standard and correct to send it along with the message. The IV must only be unpredictable by attackers. Even an occasional reuse leaks little information, as long as attackers cannot predict (or control) the IV. Obviously if it's always zero, predicting it is trivial.
CBC(还有 CTR)不提供任何消息认证.它可能会在运输过程中被修改.如果攻击者知道明文消息,在某些情况下他们可以修改加密消息以便以已知方式解密.例如,如果我知道(或可以猜到)消息为To Bob: $100",则可以在不知道密码为To Eve: $100"的情况下修改该消息.身份验证可以防止这种情况.验证 CBC 的方法是使用 HMAC(先加密,然后散列).
CBC (and also CTR) does not provide any authentication of the message. It may be modified in transit. If an attacker knows the plaintext message, there are cases where they can modify the encrypted message in order to decrypt in a known way. For example, if I know (or can guess) the message reads "To Bob: $100" it is possible to modify that message without knowing the password to be "To Eve: $100". Authentication prevents this. The way to authenticate CBC is with an HMAC (encrypt first, then hash).
有关这种格式在实践中的示例,请参阅 RNCryptor 格式,包括 RNCryptor-js.
For an example of this format in practice, see the RNCryptor format, including RNCryptor-js.
Maarten 提到 GCM,我同意它是一个优秀的密码学,但我不同意非专家应该使用它.作为一种反模式,它具有与CTR相同的危险.如果使用不当,它会完全崩溃(与 CBC 相比,它的安全性损失要平滑得多).然而,这是一个高度自以为是的主题,GCM 粉丝并没有错.我只是不同意非专家的标准最佳实践"应该是什么.
Maarten mentions GCM, and I agree that it is an excellent piece of cryptography, but I disagree that non-experts should use it. As a counter-mode, it has the same dangers as CTR. If used incorrectly, it completely falls apart (vs CBC which has a much smoother loss of security). This is a highly opinionated subject, however, and GCM fans are not wrong. I just disagree on what "standard best practice for non-experts" should be.
对于我想要最好的安全性",那么您绝对需要让安全专家参与进来.选择正确的块模式是保护系统安全最简单的部分,还有许多其他同样重要的陷阱.
To "I want best possible security," then you absolutely need to involve security experts. Selecting the right block mode is the simplest part of securing a system, and there are many other pitfalls that are just as important.
这篇关于没有 IV 的 AES CTR - 多条消息的相同密钥 - 安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
