11

We are using AES encryption in GCM block mode in order to encrypt a number of different kinds of data at rest on a mobile device - Android.

The key used for encryption is stored in the protected key-store offered Android so I am assuming that it is pretty robustly stored. However, we are using the same nonce/IV to encrypt different data. The nonce/IV is stored in shared preferences without any encryption. So I am assuming that it is not secure given a malicious app on a rooted android device can get into the shared preferences or another app.

What am I trying to understand is - if someone indeed gets hold of the plain-text nonce/IV and a number of different encrypted messages (which are encrypted using the same key) can they be able to decrypt the messages successfully?

We have proposed to make this better by using a different nonce for encrypting each message. However, I am not sure if this will still prevent someone from decrypting the message when they can get hold of the plain-text nonce, even when there is only one message that is encrypted with that nonce.

Here is the relevant piece of code

public synchronized String encrypt(String input) throws SecurityException {
    try {
        Cipher c = getCipher(Cipher.ENCRYPT_MODE);
        byte[] encodedBytes = c.doFinal(input.getBytes("UTF-8"));
        return Base64.encodeToString(encodedBytes, Base64.DEFAULT);
    } catch (Exception e) {
        throw new SecurityException(e);
} }
public synchronized String decrypt(String encrypted) throws SecurityException {
    try {
        Cipher c = getCipher(Cipher.DECRYPT_MODE);
        byte[] decodedValue = Base64.decode(encrypted.getBytes("UTF-8"), Base64.DEFAULT);
        byte[] decryptedVal = c.doFinal(decodedValue);
        return new String(decryptedVal);
    } catch (Exception e) {
        throw new SecurityException(e);

} }

Suhas
  • 253
  • 3
  • 10

2 Answers2

17

However, we are using the same nonce/IV to encrypt different data.

No, don't do that

if someone indeed gets hold of the plain-text nonce/IV and a number of different encrypted messages (which are encrypted using the same key) can they be able to decrypt the messages successfully?

Actually, it doesn't matter if they know the nonce; if they get two messages encrypted with the same nonce, then they can compute the xor of the two plaintexts. Depending on the nature of the plaintexts, that is often enough for an attacker to deduce the contents of the original plaintexts. Given the attacker more than two messages from the same nonce, well, that just makes it easier for him.

In addition, knowing two messages with the same nonce, then can deduce the internal value $H$ to GCM; that'll allow him to generate encrypted messages of his own that would pass validation (hence the authentication piece of GCM goes away).

We have proposed to make this better by using a different nonce for encrypting each message. However, I am not sure if this will still prevent someone from decrypting the message when they can get hold of the plain-text nonce, even when there is only one message that is encrypted with that nonce.

That is absolutely better. It doesn't matter in the slightest if the attacker knows the nonce; that knowledge doesn't allow him to deduce anything about the plaintext. In practice, we often just prepend the nonce to the ciphertext, as that's the easiest way to get the nonce to the decryptor. What matters greatly is that you never use the same nonce twice.

poncho
  • 154,064
  • 12
  • 239
  • 382
7

In AES-GCM, the IV should never be re-used. Re-using an IV may leak significant information about the authentication key (see this link form more info on how it works) . Without the authentication property, GCM mode become CTR mode, which is well known for it malleability, and therefore is not safe.

However, the IV isn't secret, you can keep it in shared space. You only have to use it only once (after all, it's a nonce).

Faulst
  • 852
  • 8
  • 19