Encryption

tags : Cryptography, Security, PKI, HMAC

FAQ §

Backup and data recovery §

More info Could Age Replace OpenPGP? {The Call of the Open Sidewalk}

Bad data §

• Different encryption tools like GPG and age may deal with this differently.
• So good to check the integrity of the input file before attempting to do anything with it.
• Example age : No data or partial data is better than bad data

  $ age -d -i key.txt -o totc_out.txt totc.txt.age
  Error: chacha20poly1305: message authentication failed
  [ Did age not do what you expected? Could an error be more useful? Tell us: https://filippo.io/age/report ]
  $ ls -l totc_out.txt
  -rw-r--r--  1 operator  operator  0 Dec 25 12:53 totc_out.txt # zero length output!!

• Example gpg : Partial bad data is better than no data

  $ gpg2 -d totc.txt.pgp >totc_out.txt
  gpg: encrypted with 2048-bit RSA key, ID B456C3BB5A48A0EA, created 2020-06-01
        "BACKUP <backup@store>"
        gpg: WARNING: encrypted message has been manipulated!
  $ ls -l totc_out.txt
  -rw-r--r--  1 operator  operator  807615 Dec 25 15:26 totc_out.txt

Database data encryption §

• See Database
• The laziest solution to the “encrypted database” use-case is to just use deterministic encryption, such as AES-ECB or with a static IV/nonce. (NOT GOOD)
• DO: Encrypt securely (i.e. AEAD with random nonces).

Cipher §

Block Cipher §

• A secure “random-looking id generator”
• Block ciphers with less than 128 bits of output are widely considered insecure: this corresponds to about 22 base64 characters.
• A block cipher is an algorithm that encrypts blocks of a fixed length. The encryption function E transforms plaintext blocks P into ciphertext blocks C by using a secret key k.

Stream Cipher §

• A stream cipher is a symmetric-key encryption algorithm that encrypts a stream of bits.
• Ideally, that stream could be as long as weʼd like; real-world stream ciphers have limits, but sufficient for practical use

Stream vs Block §

• Several block ciphers have modes of operation that allow them to function in a streaming-like manner.
  • Cipher Feedback (CFB), Output Feedback (OFB), and Counter (CTR) etc.
• With stream ciphers, we know that certain metadata is at certain indices in the stream.
  • What do I know about the plaintext and what can I LEARN about the plaintext from observing the ciphertext are two different things.
  • This is a “priori knowledge”. The fact that you used a stream cipher didn’t change anything, but it also didn’t leak anything.
  • Stream cipher may seem less secure compared to a block cipher (In a block bits are sort of jumbled around & don’t have fixed position)
  • But if we ensure authenticity, integrity (HMAC), we’re good. With stream cipher the attacker can know what could be where based on the protocol but does not know nothing about the actual data. So we all good.

To read §

• Format-preserving encryption - Wikipedia