Decryption type and breaking (AES 128?)
https://stackoverflow.com/questions/1662451
-
12-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My question has 2 parts. The first one is "what possible type of encryption i am on" and the other is, "what is the chance of breaking it" (as soon as the encryption algorithm was found).
So, I got the original file and the encrypted one and I was able to test the behaviour of the encrypted when something changes in the original. The most important clues I've found are:
The original and encrypted file have the exact same size (take note that the size is product of 0x10 = 128-bit)
The encryption block size seems to be 128-bit. When a byte changes on the original file, the same 128-bit block changes on the encrypted file and, sometimes (maybe) the previous or next block. But most times only this block. And the rest of the file doesn't change at all.
There are repeated sections on the original files (e.g. 16 bytes of 00 value) but non of them have the same 128-bit block result on the encrypted file. So, 16 bytes of 00 in the 2nd block has different encrypted result than 16 bytes of 00 on the next block.
Working that clues in mind, could you guess what type of algorithm could it be? I was thinking it is an AES 128-bit, but clue #2 excludes CBC mode, while clue #3 excludes ECB! Seems to be something "between" those... Could it be AES 128 on any other mode? What else could you think?
In case there is a couple of known algorithm which could possibly result on that behaviour, what are the chances of being able to break it, knowing the original data and being able to do tests on changes to the 2 files?
Thanks in advance
Solution
It sounds like it is a variation on ECB mode, where the plaintext block is XORed with a nonce that is derived from the block's position in the file before being encrypted in ECB mode.
This would result in the observed characteristics:
- No increase in file size (so therefore no IVs);
- A single byte change in the input affects an entire block of the output.
(The nonce could be as simple as a counter).
This scheme is weak. It would be susceptible to the same kind of frequency-analysis attacks that work against ECB mode - it would just take more ciphertext. Also any plaintext/ciphertext pairs you collect are re-usable for the same block positions in any unknown ciphertexts you find.
