Encrypting publicly known content = weakness or not?

[s.sec]

Suppose I am encrypting many files... for just one of these files the file content is publicly known... for example, among other files, I encrypt a file called test.txt, with only contains the text "1234567890" and the "attacker" knows the content of this specific file: does knowing the plain text and the encrypted result makes it possible to discover the password and then decrypt all other files?? thanks!

[paulej]

That should not be possible. In addition to using AES, AES Crypt also implements cipher-block chaining (CBC), making every block appear random. Even two files with the same contents and encrypted with the same key would have very different output.

Also, the password is only used to encrypt a key that is used to encrypt the larger file. These "session keys" are always different.

That said, I can't dismiss entirely that knowing the end result will aid in an attack. Any information might be useful. However, knowing the contents of the file and somehow using that to discover the next layer up means the attacker discovers the session key. Another attack would have to be performed to get the password.

I don't think the average person would have that computing power. Governments might, but they are totally quiet about their capabilities.

For now, AES is the best we have.

[s.sec]

thanks a lot!

[s.sec]

BTW, if someone currently knows how to break a certain encryption that is publicly used, they would not tell you, would they ?? But the secret would probably become known in the longer term.

[paulej]

If AES was known to be broken, that would be major news. For now, there is only rumor and speculation that governments have the ability. Nobody (who can legally talk) has any insight into the rumors. The government certainly isn't going to volunteer that information to me.

[barefootNH]

I think this is called a "known plaintext attack", and AES prevents it. All effective ciphers must have this capability.

[paulej]

AES by itself would not prevent a known plaintext attack. That's why we employ CBC and part of the reason for using a session key in AES Crypt.

[s.sec]

Where can I read more about CBC and the use of a session key in aescrypt? Do you have any books to recommend? thanks!

[paulej]

CBC is documented widely. The article on Wikipedia is pretty good:
http://en.wikipedia.org/wiki/Block_ciph ... _.28CBC.29

The session key is just what I call the key that is used to encrypt the actual file. It is just a random string of bits. The only place to look for that is in the AES Crypt source code.

[Crypto-256]

As far as I understand and know, encrypting a file or text (even a publicly known!) with AES in CBC mode (as used in AESCrypt) prevents an attacker from knowing if the encrypted file is the result of the encryption of the unencrypted (publicly known) file. Sounds complicated but is easy, you can test it yourself

I just made a short text file with Notepad and saved it in Unicode as "Test.txt", then I encrypted it with AESCrypt, the password is "test". The encrypted file, "Test.txt.aes" has the following hash
SHA-256: c6bc398e59d15fe16256818bf595a4952e4c1a7731a6426ab276602a61f131d1

Then I deleted the encrypted file and encrypted the clear-text file "Test.txt" again, with the same password "test". The new encrypted file "Test.txt.aes" has a different hash than before.
SHA-256: 0be1ca29c183f30a24ee1c7c560b9a423c0fac101a5ed45b218a7f4045c59c8d

I repeated that 3 times more, the encrypted files look always different, which is good!

Even when you encrypt the SAME file with the SAME password the results are not the same, so clearly you are protected against "known-plaintext-attacks".
So it is not a weakness if you encrypt even publicly known files, AESCrypt only gives away the name of the unencrypted file, you can just rename it, then there is absolutely no proof. In that case above, I could rename "Test.txt.aes" into "abc.txt.aes", the content would not change.

The most important thing is to use a good and long password, unsecure passwords is where most attackers pick the low-hanging-fruits.