I've written my own encryption method using AES in a project I've been working on lately using PyCrypto. I use a hash to generate a 32-byte password and feed that to AES-256bit encryption using CBC. The file input is padding using PKCS#7 padding to conform to be divisible by 16.
I can encrypt and decrypt the file without incident and the input file originally encrypted along with the output file have the same SHA-256 hash.
The only problem I'm finding is that if I supply the wrong passphrase, decryption still happens. This is a problem for what I'm doing, as I need to have decryption fail fast if the passphrase is wrong.
How can I make this happen? I've heard of other methods of AES encryption, but it seems that PyCrypto only supports ECB, CBC, CFB, OFB, CTR, and OpenPGP. How can I implement cryptographically strong AES which will fail decryption without the right passphrase?
With symmetric encryption, only one secret key is used for both encryption and decryption, so if the key is not known, then AES-encrypted data cannot be read or understood. If the key becomes known, even to hackers, then AES-encrypted data can be read or understood.
Yes, you must provide the same IV for encryption and decryption.
AES stands for “Advanced Encryption Standard” and is a specification that has selected the Rijndael cipher as its symmetric key ciphering algorithm. Using AES, a message can be encrypted with a key (like a password) and no one except the key holder can decrypt the message.
The best way of making sure that your ciphertext won't decrypt when it has been changed is to add an authentication tag. An authentication tag is used to provide authentication and integrity of the ciphertext.
This tag may consist of a MAC (e.g. AES-CMAC or HMAC using SHA-256) over the ciphertext. This however requires a second key to be secure.
Another method is to use authenticated encryption such as GCM. GCM uses a single key and generates an authentication tag (the size can be configured).
Make sure you use a correctly generated IV. The IV could be prefixed to the ciphertext, and should be included when calculating the authentication tag), and don't forget that the size of your plain text may not be hidden.
You should verify the correctness of the tag before decryption of the ciphertext.
Note that in general, you should not encrypt passwords, unless you require access to the precise password at a later date. For verification of passwords, use PBKDF2 instead.
There is nothing about AES (or any other encryption algorithm for that matter) that could allow you to know whether you have the correct key. That said, it's a very useful feature when you actually want to use cryptography outside of the realm of mathematics.
What you need to do is add a block with a known value at the start of your message, that way after decrypting the first block you can compare it against the known value and know whether you have the wrong key. If the data you're encrypting has a known header you could use this instead.
Alternatively you could send a cryptographic hash (for example SHA-256) of the key along with the message, an attacker would only be able to recover the key if they could break the hash.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With