0

I want to know if data stored in encrypted form is encrypted by block-cipher or a stream-cipher?

I have encrypted data, how do I check that it comes from a block or a stream cipher?

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
bhartay
  • 1
  • 2

1 Answers1

1

With only the encrypted data, there's no way to tell for sure, but a good indicator is to check the data length.

All of the common modern block ciphers (AES, Blowfish, DES, Serpent, Twofish) have block sizes of either 64 or 128 bits (8 and 16 bytes, respectively). Thus, if the encrypted data length in bytes is a multiple of 8, it's likely to be a block cipher (you have 1 in 8 probability of being wrong). if It's not a multiple of 8, you can be sure it's not a block cipher in common block modes (at most, it's a block cipher trying to emulate a stream cipher, such as in CFB mode).

Don't forget to exclude any potential file/stream headers, IVs, etc. Of course, if you do have a header, you might want to check there first to detect what cipher it's using...

loopbackbee
  • 21,962
  • 10
  • 62
  • 97
  • You can probably also add that the length is the only metric to distinguish them, because the contents look random for every type of modern encryption (except in ECB-mode). – Artjom B. Nov 18 '14 at 13:45
  • Thanks!! i have a situation in which encrypted and plaintext data is +VZyZlAHP6HAgoaPBrBz (encrypted) 378734493671000 (plaintext) Any guess which encryption method is used (block/stream)? – bhartay Nov 18 '14 at 17:08
  • @bhartay The fact that the ciphertext is the same size of the plaintext *and* the length is 15 show us that this is undoubtedly a stream cipher (or a block cipher used in a stream mode, such as CFB, OFB or CTR) – loopbackbee Nov 18 '14 at 17:34
  • Any way to know or any guess from your side which encryption method is used for this cipher? And one more thing +VZ is common on all data there so might be encypted data is yZlAHP6HAgoaPBrBz ? Thanks a lot!! – bhartay Nov 18 '14 at 17:38
  • You're basically trying to perform a [known plaintext attack](https://en.wikipedia.org/wiki/Known-plaintext_attack) here. The current understanding is that it's impossible on modern cipher. If you can choose the plaintext to encrypt, you'll have a [choosen plaintext attack](https://en.wikipedia.org/wiki/Chosen-plaintext_attack). Detecting the [block mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation) is then trivial, but I think it's unlikely a non-expert can tell which cipher is used. – loopbackbee Nov 19 '14 at 10:22
  • Finally, be aware that what you're calling the "encrypted data" is actually [base64 encoded](https://en.wikipedia.org/wiki/Base64). If the beginning is the same for *any* plaintext, it's likely some kind of header, or possibly a (very short) [IV](https://en.wikipedia.org/wiki/Initialization_vector). Note, though, that it's *very* unusual for ciphertext to be shorter than plaintext - unless there's compression/encoding applied before encryption. – loopbackbee Nov 19 '14 at 10:26