1

I encrypt some sensitive data with AES128 and I use custom method (encrypted CRC) for providing data integrity. I have calculated the probability of successful injection of invalid data that equals 4.54e-13. It means that if an attacker injects one random packet per 1 ms the probability of successfully injecting invalid data within a month is at the level of 1e-3.

Would you consider this as safe solution? I know that the answer depends on the sensitivity of the data but I struggle to find information what probabilities of injecting invalid data are considered safe

Al Bundy
  • 119
  • 4
  • 4
    custom method is an alias for insecure. The probability you've evaled mostly comes from the assertion "attacker is bruteforcing like a dumb", but you might have flaws in your method that allows for smarter "injection" (which is not well defined in this question) that will drasticly decrease your probability. – Xenos Jun 18 '18 at 16:13
  • @Xenos this custom method is encrypted CRC. – Al Bundy Jun 18 '18 at 16:55
  • What mode is AES running in? CBC? CTR? Also, an encrypted CRC provides poor integrity. Not only is it the Mac-Then-Encrypt scheme (which is weak to certain attacks), but CRC is not a secure hash. – forest Jun 19 '18 at 03:15
  • It is CBC mode. – Al Bundy Jun 19 '18 at 05:48

1 Answers1

4

Xenos' comment is right.

Unless you are a badge-bearing cryptographer, trust the badge-bearing cryptographer and don't implement your own method. You may think your method is secure, but you have no way to really assess that. Even professional crypto guys commited mistakes undermining their process. So use the hard work of the giants before you and use Autenticated Encryption.

It would be interesting to know how you calculated the probability of an attack. Do you have a decryption oracle? Can the attacker use chosen plaintext? Can the arracker have the source code? Is your solution according with the Kerckhoffs' principle? (attacker have everything but the key)?

ThoriumBR
  • 53,925
  • 13
  • 135
  • 152
  • There is no decryption oracle. The attacker can't choose plaintext. Not sure what you mean with the question "Can it have the source"? I have assumed that attacker knows everything except the key. The idea is quite simple, integrity is granted by encrypted CRC value. I have assumed that the attacker is sending random data. Successful attack is when CRC of decrypted data matches the decrypted CRC. – Al Bundy Jun 18 '18 at 19:25
  • I meant the attacker have access to the source-code. And if the attacker can send random data and receive the results, he have a decryption oracle: he can change little bits of a legitimate packet and compare the result your program gives back. With access to the source code, he can calculate the CRC before and after the modification. Another issue is the size of the CRC: a small one is very easy to bruteforce. – ThoriumBR Jun 18 '18 at 19:44
  • The attacker doesn't have access to the source code. There is no decryption oracle. The CRC is long enough to provide probability of successful injection at the level of 4.54e-13. I just don't know if it is high or low value. – Al Bundy Jun 18 '18 at 19:55
  • 3
    If the attacker does not have access to the source code, you are not applying Kerckhoffs' principle. How long is the CRC? 4 bytes? 32 bytes? 128 bytes? Why not just use the already tested and tried Authenticated encryption, not rolling your own? – ThoriumBR Jun 18 '18 at 20:10
  • 2
    My CRC is 32 bytes. AEAD is probably better solution, thanks. – Al Bundy Jun 18 '18 at 21:07