Password to Symmetric Key Algorithm ???

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
Steve Gibson
Posts: 2
Joined: Sun Apr 24, 2011 2:24 am

Password to Symmetric Key Algorithm ???

Post by Steve Gibson »

Hi Paul.

I'm Steve Gibson. I have some background in computers, technology, security and encryption. For the past 5 and a half years I have been co-producing, with Leo Laporte, a weekly podcast called "Security Now!", and my web site is http://grc.com.

I'm writing because I am curious about a few aspects of the specific approach(s) you used with AESCrypt:

It appears that you are pseudo-randomly generating a 128-bit initialization vector (IV) and 256-kit key, which are then encrypted using (presumably) a hash (SHA256?) of the user's provided password. What I'm most curious about is where/how you generated the pseudo-random material for the pre-encrypted the IV and Key??

As you doubtless know, high quality cryptographically strong random numbers are notoriously difficult to obtain since operating systems are inherently deterministic. The only obviously weakness that might exist in your solution could surround the source of randomness for the IV and Key before they are encrypted under the user's key.

Just curious! Thanks!!

/Steve.
User avatar
paulej
Posts: 595
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: Password to Symmetric Key Algorithm ???

Post by paulej »

Steve,

The Windows code uses a stronger algorithm for generating random numbers, in theory. It is the random number generator provided by MS as a part of the crypto APIs.

On Linux, the code presently uses /dev/urandom. This may include less entropy than is ideal, but we try to balance that by hashing the random bits, discarding some of the hashed bits, etc. In the end, the IV and key should have a high degree of randomness or, at least, less predictable.

Everything hinges on having a good RNG, but we cannot offer one better than what can be provided by the underlying operating system unless we also provide a program that creates an entropy pool much like the RNG already provided by Linux.

Of course, if there are changes you would like to make to the code to make the random bits include a higher degree of entropy, I would consider using that change.

Paul
Steve Gibson
Posts: 2
Joined: Sun Apr 24, 2011 2:24 am

Re: Password to Symmetric Key Algorithm ???

Post by Steve Gibson »

Thanks for your reply Paul.

I few final follow-up comments:
paulej wrote: The Windows code uses a stronger algorithm for generating random numbers, in theory. It is the random number generator provided by MS as a part of the crypto APIs.

On Linux, the code presently uses /dev/urandom. This may include less entropy than is ideal, but we try to balance that by hashing the random bits, discarding some of the hashed bits, etc. In the end, the IV and key should have a high degree of randomness or, at least, less predictable.
I think that using either of those sources is fine in this application. While the argument could be made that neither are super-good sources in an absolute sense, the threat model is "offline" and not "online". E.g., an attacker would be faced with determining the IV and key used with an already-encrypted file, not with being able to access the current state of the machine at the time that the IV and cipher key are being obtained. Consequently, both the Windows cryptoAPI and the Linux /dev/rand sources provide ample entropy to make the attacker's job no easier than a full brute-forcing of 384-bits.
paulej wrote: Everything hinges on having a good RNG, but we cannot offer one better than what can be provided by the underlying operating system unless we also provide a program that creates an entropy pool much like the RNG already provided by Linux.

Of course, if there are changes you would like to make to the code to make the random bits include a higher degree of entropy, I would consider using that change.
Thanks... but I think you got it! :)

/Steve.
Post Reply