随机访问加密AES在计数器模式下使用Fortuna PRNG: [英] Random access encryption with AES In Counter mode using Fortuna PRNG:
问题描述
在这种情况下使用简化的Fortuna PRNG可以确定(用特定文件特定的随机选择的唯一密钥加密计数器)?这种做法有弱点吗?
所以加密/解密可能看起来像这样
在Offset加密块:
rndsubseq = AESEnc(Offset,FileUniqueKey)
xoredplaintext = plaintext xor rndsubseq
ciphertext = AESEnc(xoredplaintext,PasswordBasedKey)
Offset中的块解密:
rndsubseq = AESEnc(Offset,FileUniqueKey)pre>
xoredplaintext = AESDec(ciphertext,PasswordBasedKey)
plaintext = xoredplaintext xor rndsubseq
一个观察。我自己来到了Fortuna所用的想法,并且确定发现它已经被发明了。但是,随着我在任何地方读到关键是安全性,但还有一个好处:它是一个伟大的随机访问伪随机数生成器(简化形式)。因此,PRNG不仅产生了非常好的序列(我用Ent和Die Hard进行了测试),而且还允许访问任何子序列,如果你知道步数。那么在安全应用程序中使用Fortuna作为随机访问PRNG通常可以吗?
编辑:
<换句话说,我建议使用Fortuna PRNG作为调整,形成具有随机访问能力的可调整AES密码。我阅读了Liskov,Rivest和Wagner的作品,但是不了解操作模式中的密码与可调整密码之间的主要区别是什么。他们表示,他们建议将这种方式从密码本身的高层引入,但是例如在我的情况下,通过调整来修正纯文本,这是调整还是不调整?解决方案我想你可能想要查询可调整块密码的工作原理,并查看光盘加密问题如何解决:磁盘加密理论。加密整个磁盘与您的问题类似:每个扇区的加密必须独立完成(您需要在不同的偏移量下对数据进行独立加密),但是整个事情必须是安全的。做了很多工作。维基百科似乎给了一个很好的概述。
编辑添加:
重新编辑:是的,您正试图通过将明文的调整XORing从AES中提取可调整的块密码。更具体地说,您有Enc(T,K,M)= AES(K,f(T)xor M),其中AES(K,...)表示AES加密,密钥K和f(T)调整(在你的情况下,我猜是Fortuna)。我简要地看了你提到的论文,据我看到,这可能表明这种方法不产生一个安全可调整的块密码。
这个想法(根据Liskov,Rivest,Wagner论文第2节的定义)如下。我们可以访问加密oracle或随机排列,我们想知道我们正在交互哪一个。我们可以设置调整T和明文M,并返回相应的密文,但是我们不知道使用的密钥。以下是如何确定我们是否使用AES(K,f(T)xor M)的构造。
选择任意两个不同的值T,T',计算f(T),f(T')。选择任何消息M,然后计算第二个消息为M'= M xor f(T)xor f(T')。现在要求加密oracle使用调整T和M'使用调整T'来加密M。如果我们处理考虑的建设,输出将是相同的。如果我们处理随机排列,输出将几乎肯定(概率1-2 ^ -128)不同。这是因为AES加密的两个输入将相同,所以密文也将相同。当我们使用随机排列时,情况就不是这样,因为两个输出相同的概率是2 ^ -128。底线是对输入的调整可能不是一种安全的方法。
本文提供了一些可以证明是安全构造的例子。最简单的一个似乎是Enc(T,K,M)= AES(K,T xor AES(K,M))。每个块需要两个加密,但是它们证明了这种结构的安全性。他们还提到更快的变体,但它们需要额外的原始(几乎是通用的功能系列)。
I'm building file-encryption based on AES that have to be able to work in random-access mode (accesing any part of the file). AES in Counter for example can be used, but it is well known that we need an unique sequence never used twice. Is it ok to use a simplified Fortuna PRNG in this case (encrypting a counter with a randomly chosen unique key specific to the particular file)? Are there weak points in this approach?
So encryption/decryption can look like this
Encryption of a block at Offset:
rndsubseq = AESEnc(Offset, FileUniqueKey) xoredplaintext = plaintext xor rndsubseq ciphertext = AESEnc(xoredplaintext, PasswordBasedKey)Decryption of a block at Offset:
rndsubseq = AESEnc(Offset, FileUniqueKey) xoredplaintext = AESDec(ciphertext, PasswordBasedKey) plaintext = xoredplaintext xor rndsubseqOne observation. I came to the idea used in Fortuna by myself and surely discovered later that it is already invented. But as I read everywhere the key point about it is security, but there's another good point: it is a great random-access pseudo random numbers generator so to speak (in simplified form). So the PRNG that not only produces very good sequence (I tested it with Ent and Die Hard) but also allow to access any sub-sequence if you know the step number. So is it generally ok to use Fortuna as a "Random-access" PRNG in security applications?
EDIT:
In other words, what I suggest is to use Fortuna PRNG as a tweak to form a tweakable AES Cipher with random-access ability. I read the work of Liskov, Rivest and Wagner, but could not understand what was the main difference between a cipher in a mode of operation and a tweakable cipher. They said they suggested to bring this approach from high level inside the cipher itself, but for example in my case xoring the plain text with the tweak, is this a tweak or not?
解决方案I think you may want to look up how "tweakable block ciphers" work and have a look at how the problem of disc encryption is solved: Disk encryption theory. Encrypting the whole disk is similar to your problem: encryption of each sector must be done independently (you want independent encryption of data at different offsets) and yet the whole thing must be secure. There is a lot of work done on that. Wikipedia seems to give a good overview.
EDITED to add: Re your edit: Yes, you are trying to make a tweakable block cipher out of AES by XORing the tweak with the plaintext. More concretely, you have Enc(T,K,M) = AES (K, f(T) xor M) where AES(K,...) means AES encryption with the key K and f(T) is some function of the tweak (in your case I guess it's Fortuna). I had a brief look at the paper you mentioned and as far as I can see it's possible to show that this method does not produce a secure tweakable block cipher. The idea (based on definitions from section 2 of the Liskov, Rivest, Wagner paper) is as follows. We have access to either the encryption oracle or a random permutation and we want to tell which one we are interacting with. We can set the tweak T and the plaintext M and we get back the corresponding ciphertext but we don't know the key which is used. Here is how to figure out if we use the construction AES(K, f(T) xor M). Pick any two different values T, T', compute f(T), f(T'). Pick any message M and then compute the second message as M' = M xor f(T) xor f(T'). Now ask the encrypting oracle to encrypt M using tweak T and M' using tweak T'. If we deal with the considered construction, the outputs will be identical. If we deal with random permutations, the outputs will be almost certainly (with probability 1-2^-128) different. That is because both inputs to the AES encryptions will be the same, so the ciphertexts will be also identical. This would not be the case when we use random permutations, because the probability that the two outputs are identical is 2^-128. The bottom line is that xoring tweak to the input is probably not a secure method.
The paper gives some examples of what they can prove to be a secure construction. The simplest one seems to be Enc(T,K,M) = AES(K, T xor AES(K, M)). You need two encryptions per block, but they prove the security of this construction. They also mention faster variants, but they require additional primitive (almost-xor-universal function families).
这篇关于随机访问加密AES在计数器模式下使用Fortuna PRNG:的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
