2

I did some research on the topic but could not find anything similar to my question. So I hope some of you great guys may help me out.

I want to use AES128 encryption (CFB-Mode) for the networking in my application between two individual clients. The data being exchanged consists only of textual strings of a specific structure, for example, the first bytes allways tell the recipient the kind of message they are receiving, so they can process them. With AES I want to ensure the confidentiality of the message, but now the question of "integrity" arises.

Normaly you would consider using a MAC. But isn't it guaranteed that nobody has altered the message, if the recipient is able to decrypt it correctly, i.e. that the message can be used correctly in his application because of the string's format? Wouldn't altering (even 1 bit) the encrypted message by a third party result in garbage during decryption?

Furthermore let's assume that the application is a multi-party peer-to-peer-game, where two of the players are communicating with each other on a private but AES-encrypted channel. Now the originator of the message is not playing fair and intentionally sending a fraudulent encrypted message to convey an impression that the message has been altered by a random third party (to force a player to quit). Now the recipient would have no chance to determine if the message has been altered or if the sender acts fraudulent, am I right? So Integrity would not be of much use in such a situation and could be neglected?

This may sound like an odd and out of world example. But it's something I recently encountered in a similar application and I am asking myself if there is a solution to the problem or if I got the basic Idea of AES encryption.

Fenriswolf
  • 45
  • 1
  • 4

2 Answers2

1

As you said, you may detect changes in the format of the plain text message after encryption. But at what level would it go wrong? Do you have something that is large and redundant enough to be tested? What are you going to do if the altered plain text results in some obscure exception somewhere down the line? With CFB (like most modes) an attacker can make sure that only the last part of the message is altered, for instance, and leave the first blocks intact.

And you are worried about cheats as well.

In my opinion, you are much better off using a MAC or HMAC algorithm, or a cipher mode that provides integrity/authentication on top of confidentiality (EAX or GCM for instance). If you are sure nobody else has the symmetric key, an authentication check (such as a MAC) will prove that the data has been signed by the correct key. So no, the user cannot claim that the data has been changed in transport if the authenticity checks succeed.

The next question becomes: can you trust that the symmetric key is only in possession of the other player? For this you might want to use some sort of PKI scheme (using assymetric keys) together with a key exchange mechanism such as DH. But that is for a later, if you decide to go that way.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Thanks. So if someone would change for example the last few bits of the message, the first part would decrypt correct and the part after the alteration would result in gibberish? Would it be a good option to use a secret between two parties instead and compute with PBKDF2 two different keys, so one can be used to encrypt and one for MAC? I would still have no chance to distinguish altered messages from fraudulent behaviour, but at least I am always able to detect the alterations. Concerning the last part: at the moment I am just assuming that the key/secret has already been exchanged securely. – Fenriswolf Dec 19 '11 at 13:30
  • PBKDF2 is too heavy for that. If you've already got a secret key, you might as well encrypt some counter value for each, or - what I would prefer - calculate a hash with the minimum number of bits for the key. The input of the hash would be the concatenation of the secret and a 4 byte counter (big endian). E.g. SHA-1( | 00000001) for the first 16 byte key and SHA-256( | 00000002) for the second 32 byte key. – Maarten Bodewes Dec 20 '11 at 16:56
0

This is a bit out of my depth, but...

Yes, modifying the encrypted bytes of an AES encrypted message should cause the decryption to fail (this has been my experience with the c# implementation). The client who decrypts will know the message is invalid. EDIT: apparently this is not the case. Looks like you'd need a CRC or hash to verify the message was successfully decrypted. The more serious problem is if the secret AES key is leaked (and in a peer-to-peer environment, the key has to be sent so the receiver can decrypt the message at all). Then a 3rd party can send messages as if they were a legitimate client, and they will be accepted as OK.

Integrity is much harder. I'm not entirely sure how robust you want things to be, but I suspect you want to use public key encryption. This allows you to include a hash of the message (like a signature or MAC) based on the private key to assert the message validity. The receiver uses the public key to verify the hash and thus the original message is OK. The main advantage of public key encryption over symmetric encryption like AES is you don't have to send the private key, only the public key. This makes it much harder to impersonate a client. SSL/TLS uses public key encryption.

In any case, once you have identified a client sending invalid messages, you're in the world of deciding to trust that client or not. That is, is the corruption due to malicious behaviour (what you're worried about)? Or a faulty client implementation (incompetence)? Or a faulty communications link?. And this is where encryption (or at least my knowledge of it) won't help you any more!

Additional regarding integrity:

If you assume no one else has access to your secret key, a CRC, hash, or HMAC would all suffice to ensure you detected changes. Simply take the body of your message, calculate the CRC, hash, whatever and append as a footer. If the hash doesn't match when you decrypt, the message has been altered.

The assumption that the secret key remains secret is quite reasonable. Especially if after some number of messages you generate new ones. SSH and WiFi's WPA both generate new keys periodically.

If you can't assume the secret key is secret, then you need to go to PKI to sign the message. With the AES key in a malicious 3rd party, they'll just generate whatever messages they want with the key.

There may be some mileage in including a sequence number in your message based on a RNG. If you use the same RNG and same seed for both parties, they should be able to predict what sequence number comes next. A 3rd party would need to intercept the original seed, and know how many messages have been sent to send valid but forged messages. (This assumes no messages can ever be lost or dropped.)

ligos
  • 4,256
  • 2
  • 25
  • 34
  • Additionally you can look into DES technologies to verify integrity. – Steven Dec 19 '11 at 00:12
  • SSL/TLS uses symmetric cryptography to secure application data, so both sides end up with knowledge of the symmetric keys. – President James K. Polk Dec 19 '11 at 00:14
  • Symmetric ciphers (during encryption/decryption) use 1:1 relation between plain text and cipher text for each encrypted block. In other words, there is no way to detect a failed encryption at that level. The only thing you can detect are changes in the plain text after decryption. One of these changes is padding, which is normally part of the encryption mode, so that *may* be detected - however padding may very well be accidentally be right. CFB however does not even use padding, so there is no way to detect failed decrypts. – Maarten Bodewes Dec 19 '11 at 01:46
  • @GregS - both sides = the owner of the private key and the server being connected to in the handshake, which is way better than sending a clear text symmetric key – ligos Dec 19 '11 at 02:34
  • I don't want to use Public-Key-Encryption at this point, at least not for all the messages, because of the performance. It is a viable option for key-exchange, though. At the moment I am just assuming that the symmetric key has been exchanged securely already, so I can use AES for message encryption. – Fenriswolf Dec 19 '11 at 13:18
  • @Fenriswolf Fair enough, PKE is rarely used beyond key exchange because of perf. I'll edit my answer for some more integrity ideas (although I'm 99.9% sure I'm out of my depth now!) – ligos Dec 19 '11 at 21:42