1

Say one encrypts multiple plain text blocks with same IV but different keys using AES-256-CBC, can one infer concatenated ciphertext block boundaries through digital forensics?

Example

Plain text block 1: foo

Plain text block 2: bar

Ciphertext block 1: <Buffer 88 65 7f 9f 7b 9d 47 51 21 cc 22 c0 2a 9e 69 57>

Ciphertext block 2: <Buffer a5 96 21 5b ed f6 e1 3b f7 7a fb 3e b4 f4 c0 4f>

Concatenated ciphertext: <Buffer 88 65 7f 9f 7b 9d 47 51 21 cc 22 c0 2a 9e 69 57 a5 96 21 5b ed f6 e1 3b f7 7a fb 3e b4 f4 c0 4f>

Concatenated ciphertext encoded to Base64: iGV/n3udR1EhzCLAKp5pV6WWIVvt9uE793r7PrT0wE8=

From “Concatenated ciphertext encoded to Base64”, can one infer boundaries of “Ciphertext block 1” and “Ciphertext block 2” without keys?

Reference implementation

import { createCipheriv, createDecipheriv, randomBytes } from "crypto"

const algorithm = "aes-256-cbc"


const sharedIv = randomBytes(16)


const fooSecret = "foo"
const fooKey = randomBytes(32)
const fooCipher = createCipheriv(algorithm, fooKey, sharedIv)
const fooEncrypted = fooCipher.update(fooSecret)
const fooBuffer = Buffer.concat([fooEncrypted, fooCipher.final()])


console.log(fooBuffer)


const barSecret = "bar"
const barKey = randomBytes(32)
const barCipher = createCipheriv(algorithm, barKey, sharedIv)
const barEncrypted = barCipher.update(barSecret)
const barBuffer = Buffer.concat([barEncrypted, barCipher.final()])


console.log(barBuffer)


const concatenatedBuffers = Buffer.concat([fooBuffer, barBuffer])


console.log(concatenatedBuffers, concatenatedBuffers.toString("base64"))
```
sunknudsen
  • 199
  • 1
  • 8

1 Answers1

1

Intuitively, this is secure against a passive attacker (that is allowed to choose the plaintexts) since both ciphertexts look like random gibberish and one cannot tell where one gibberish ends and another gibberish starts.

Formally, you should think about AES as random permutation. Let $n$ be the block length of the ciphertext concatenation. The probability that the ciphertext concatenation contains a block collision is less than $\frac{n^2}{2^{128}}$. Conditioned on there being no collision, the ciphertext concatenation is a just a sequence of $n$ distinct randomly chosen blocks.

Applying a base64 encoding is irrelevant since an attacker is free to apply that as well, it does not affect our conclusion about the ciphertext concatenation.

erth
  • 133
  • 4