0

as the question says, i would like to know if it is important to generate a strong key in order to encrypt connection.

Let's assume i'm using AES Symmetric Key Encryption Algorithm. What changes can i achieve by using a key such as: "helloworld" or some particular hash value evaluated from some process?

The fact is that, using pseudo random generator is a good key generation process. But what if i simply used a static key without exchanging it to the outside communication channel? How can an attacker find my key?

Thanks

Francesco Rizzi
  • 631
  • 6
  • 24
  • 4
    Stackoverflow is for [programming questions](https://stackoverflow.com/help/on-topic). Questions about **cryptography or security** are off-topic for Stack Overflow unless they directly involve tools used primarily for programming. You may be able to get help on [Crypto](https://crypto.stackexchange.com/) or [Security](https://security.stackexchange.com/). – President James K. Polk Feb 27 '18 at 03:43

1 Answers1

1

The key creation is very important. There are two approaches, one is a random key generated by a cryptographically secure pseudo random number generator CSPRNG and the other derived from text.

When using text as a key the brute force approach is to try text from lists of frequently used passwords such as SecLists. The approach against this is to use a derivation method that is slow in order to make such a brute force infeasible. One common method is the Password Based Key Derivation 2 PBKDF2 also noes as RFC2898, another newer method is Argon2. In both cases a general goal is to choose a work factor such that about 100ms of CPU time is required.

zaph
  • 111,848
  • 21
  • 189
  • 228
  • Ok, but how can my protection be less robust if i simple use a "abcd" for both hosts without exchanging any info about the key? – Francesco Rizzi Feb 26 '18 at 22:15
  • See updated answer, "abcd" will fall to a brute force attack very quickly. "abcd" is entry 812 on the 10K list. – zaph Feb 26 '18 at 22:19
  • Ok then, let's assume i want to use a timestamp key for the communication, how can i say that this kind of key is less secure to an other method? Thanks for the answer – Francesco Rizzi Feb 26 '18 at 22:20
  • 1
    Time stamps are also bad because the time is generally easy to find, the early Netscape browsers fell to this attack. – zaph Feb 26 '18 at 22:22
  • 3
    @FrancescoRizzi you are making the mistake of thinking that because something seems difficult for you to discover, it must be hard for others. There is an entire field of Cryptanalysis that is devoted to solving the problems you are posing... and they are trivial problems. – David Hoelzer Feb 26 '18 at 22:23