Calculate all possible keys for AES 128 encryption to exploit hardware encryption
Clash Royale CLAN TAG#URR8PPP
up vote
14
down vote
favorite
Some background: I am using the MicroChip ATAES132a for hardware encryption/decryption. The ATAES132a is very configurable and can be misconfigured in such a way that the encryption/decryption will be performed using the same nonce. In theory, if the nonce is known I can do an encryption of the plain text and get the same ciphered text result. Based on this, I could possibly try to encrypt the same plain text with the known nonce and compare to the generated ciphered text until I get a match.
For example, in theory my target key could be some thing like this (see below). I would need to calculate every possible key, use the known nonce and the same plain text until I get the same ciphered text result.
const uint8_t g_key0 = 0x01, 0x08, 0x0E, 0x91, 0xe2, 0x64, 0x8f, 0x49, 0x0c, 0xe9, 0x80, 0x45, 0x38, 0xb5, 0x85, 0x3f ;
This would exploit how the device was configured incorrectly. The ATAES132a does all its encryption with AES in CCM mode. I can perform the attack either on the ATAES132a or on any PC using any standard AES library.
Is this attack plausible using a modern PC?
encryption aes
edited Aug 28 at 18:27
psmears
1233
asked Aug 27 at 14:41
PhillyNJ
17517
add a comment |Â
up vote
14
down vote
favorite
Some background: I am using the MicroChip ATAES132a for hardware encryption/decryption. The ATAES132a is very configurable and can be misconfigured in such a way that the encryption/decryption will be performed using the same nonce. In theory, if the nonce is known I can do an encryption of the plain text and get the same ciphered text result. Based on this, I could possibly try to encrypt the same plain text with the known nonce and compare to the generated ciphered text until I get a match.
For example, in theory my target key could be some thing like this (see below). I would need to calculate every possible key, use the known nonce and the same plain text until I get the same ciphered text result.
const uint8_t g_key0 = 0x01, 0x08, 0x0E, 0x91, 0xe2, 0x64, 0x8f, 0x49, 0x0c, 0xe9, 0x80, 0x45, 0x38, 0xb5, 0x85, 0x3f ;
This would exploit how the device was configured incorrectly. The ATAES132a does all its encryption with AES in CCM mode. I can perform the attack either on the ATAES132a or on any PC using any standard AES library.
Is this attack plausible using a modern PC?
encryption aes
edited Aug 28 at 18:27
psmears
1233
asked Aug 27 at 14:41
PhillyNJ
17517
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
1
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40
add a comment |Â
up vote
14
down vote
favorite
up vote
14
down vote
favorite
Some background: I am using the MicroChip ATAES132a for hardware encryption/decryption. The ATAES132a is very configurable and can be misconfigured in such a way that the encryption/decryption will be performed using the same nonce. In theory, if the nonce is known I can do an encryption of the plain text and get the same ciphered text result. Based on this, I could possibly try to encrypt the same plain text with the known nonce and compare to the generated ciphered text until I get a match.
For example, in theory my target key could be some thing like this (see below). I would need to calculate every possible key, use the known nonce and the same plain text until I get the same ciphered text result.
const uint8_t g_key0 = 0x01, 0x08, 0x0E, 0x91, 0xe2, 0x64, 0x8f, 0x49, 0x0c, 0xe9, 0x80, 0x45, 0x38, 0xb5, 0x85, 0x3f ;
This would exploit how the device was configured incorrectly. The ATAES132a does all its encryption with AES in CCM mode. I can perform the attack either on the ATAES132a or on any PC using any standard AES library.
Is this attack plausible using a modern PC?
encryption aes
edited Aug 28 at 18:27
psmears
1233
asked Aug 27 at 14:41
PhillyNJ
17517
Some background: I am using the MicroChip ATAES132a for hardware encryption/decryption. The ATAES132a is very configurable and can be misconfigured in such a way that the encryption/decryption will be performed using the same nonce. In theory, if the nonce is known I can do an encryption of the plain text and get the same ciphered text result. Based on this, I could possibly try to encrypt the same plain text with the known nonce and compare to the generated ciphered text until I get a match.
For example, in theory my target key could be some thing like this (see below). I would need to calculate every possible key, use the known nonce and the same plain text until I get the same ciphered text result.
const uint8_t g_key0 = 0x01, 0x08, 0x0E, 0x91, 0xe2, 0x64, 0x8f, 0x49, 0x0c, 0xe9, 0x80, 0x45, 0x38, 0xb5, 0x85, 0x3f ;
This would exploit how the device was configured incorrectly. The ATAES132a does all its encryption with AES in CCM mode. I can perform the attack either on the ATAES132a or on any PC using any standard AES library.
Is this attack plausible using a modern PC?
encryption aes
edited Aug 28 at 18:27
psmears
1233
asked Aug 27 at 14:41
PhillyNJ
17517
edited Aug 28 at 18:27
psmears
1233
edited Aug 28 at 18:27
psmears
1233
edited Aug 28 at 18:27
psmears
1233
1233
asked Aug 27 at 14:41
PhillyNJ
17517
asked Aug 27 at 14:41
PhillyNJ
17517
asked Aug 27 at 14:41
PhillyNJ
17517
17517
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
1
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40
add a comment |Â
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
1
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
1
1
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
36
down vote
accepted
Is this attack plausible using a modern PC?
No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^128$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^128/2=2^127$. At $100,000,000$ attempts per second (or around $2^26$), it would take around $2^101$ second. The universe is around 13.7 billion years old (about $2^59$ seconds). So the amount of time it would take you is $2^42$ times the age of the universe.
There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.
Finally, the relevant XKCD:
edited Aug 28 at 12:18
Jacob Bundgaard
1032
answered Aug 27 at 15:31
mikeazo
32k680138
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
 |Â
show 2 more comments
up vote
-1
down vote
in a universe of combinations you can give luck and find the correct one in 1 minute. It is not mandatory to scroll through the range to find the correct key. But you can't get luck too :-)
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
36
down vote
accepted
Is this attack plausible using a modern PC?
No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^128$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^128/2=2^127$. At $100,000,000$ attempts per second (or around $2^26$), it would take around $2^101$ second. The universe is around 13.7 billion years old (about $2^59$ seconds). So the amount of time it would take you is $2^42$ times the age of the universe.
There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.
Finally, the relevant XKCD:
edited Aug 28 at 12:18
Jacob Bundgaard
1032
answered Aug 27 at 15:31
mikeazo
32k680138
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
 |Â
show 2 more comments
up vote
36
down vote
accepted
Is this attack plausible using a modern PC?
No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^128$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^128/2=2^127$. At $100,000,000$ attempts per second (or around $2^26$), it would take around $2^101$ second. The universe is around 13.7 billion years old (about $2^59$ seconds). So the amount of time it would take you is $2^42$ times the age of the universe.
There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.
Finally, the relevant XKCD:
edited Aug 28 at 12:18
Jacob Bundgaard
1032
answered Aug 27 at 15:31
mikeazo
32k680138
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
 |Â
show 2 more comments
up vote
36
down vote
accepted
up vote
36
down vote
accepted
Is this attack plausible using a modern PC?
No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^128$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^128/2=2^127$. At $100,000,000$ attempts per second (or around $2^26$), it would take around $2^101$ second. The universe is around 13.7 billion years old (about $2^59$ seconds). So the amount of time it would take you is $2^42$ times the age of the universe.
There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.
Finally, the relevant XKCD:
edited Aug 28 at 12:18
Jacob Bundgaard
1032
answered Aug 27 at 15:31
mikeazo
32k680138
Is this attack plausible using a modern PC?
No. For AES-128 (or any secure 128-bit symmetric cipher for that matter), there are $2^128$ possible keys. You would have to try on average half of those keys before finding the right one, which is $2^128/2=2^127$. At $100,000,000$ attempts per second (or around $2^26$), it would take around $2^101$ second. The universe is around 13.7 billion years old (about $2^59$ seconds). So the amount of time it would take you is $2^42$ times the age of the universe.
There are other ways you can calculate this, but the end result is the same. See How much would it cost in U.S. dollars to brute force a 256 bit key in a year?.
Finally, the relevant XKCD:
edited Aug 28 at 12:18
Jacob Bundgaard
1032
answered Aug 27 at 15:31
mikeazo
32k680138
edited Aug 28 at 12:18
Jacob Bundgaard
1032
edited Aug 28 at 12:18
Jacob Bundgaard
1032
edited Aug 28 at 12:18
Jacob Bundgaard
1032
1032
answered Aug 27 at 15:31
mikeazo
32k680138
answered Aug 27 at 15:31
mikeazo
32k680138
answered Aug 27 at 15:31
mikeazo
32k680138
32k680138
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
 |Â
show 2 more comments
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
5
5
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
Might be worth a small sidenote that this of course generalizes to all ciphers with the specific key length; not just AES-128, but any cipher with a 128-bit key. The exact amount of time needed per key (and thus the number of keys testable per second) will vary with the complexity of the key schedule (Blowfish, I'm looking at you), but at the scales we're discussing here, that doesn't really substantially change anything. A few powers of ten more or less won't make any substantial difference.
– Michael Kjörling
Aug 27 at 16:49
2
2
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@MichaelKjörling "this of course generalizes to all ciphers with ... a 128-bit key" - only to symmetric ciphers that are not mathematically broken (yet). RSA needs 2048 to 4096 bits to be secure.
– Alexander
Aug 27 at 19:41
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
@Alexander, agreed, but I'm not sure I understand why you are invoking RSA here. RSA is asymmetric, not symmetric. Maybe a better comparison would be Vigenere. You could have a Vigenere cipher with 128 bit key, but it would not be secure and would be much easier to break.
– mikeazo
Aug 27 at 19:44
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
Good points both mikeazo and @Alexander. In my defense, I was beginning to run out of space in the margin, and I was addressing my comment primarily to mikeazo as a suggestion for an improvement to the answer.
– Michael Kjörling
Aug 27 at 19:48
1
1
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
@PaÃ…ÂloEbermann, I agree, but I wasn't completely sure what the best number would be. Besides, what's a couple of orders of magnitude among friends?
– mikeazo
Aug 28 at 0:40
 |Â
show 2 more comments
up vote
-1
down vote
in a universe of combinations you can give luck and find the correct one in 1 minute. It is not mandatory to scroll through the range to find the correct key. But you can't get luck too :-)
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
add a comment |Â
up vote
-1
down vote
in a universe of combinations you can give luck and find the correct one in 1 minute. It is not mandatory to scroll through the range to find the correct key. But you can't get luck too :-)
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
add a comment |Â
up vote
-1
down vote
up vote
-1
down vote
in a universe of combinations you can give luck and find the correct one in 1 minute. It is not mandatory to scroll through the range to find the correct key. But you can't get luck too :-)
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
in a universe of combinations you can give luck and find the correct one in 1 minute. It is not mandatory to scroll through the range to find the correct key. But you can't get luck too :-)
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
answered Aug 28 at 17:00
Luis Anderson Cerino Pires
1
1
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f61795%2fcalculate-all-possible-keys-for-aes-128-encryption-to-exploit-hardware-encryptio%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
"if the nonce is known I can do an encryption of plain text and get the same ciphered text result" If the nonce is known, you can encrypt null bytes and recover the keystream, and every message that used that nonce is now decrypted
– Richie Frame
Aug 28 at 10:13
@RichieFrame How do you recover the keystream?
– PhillyNJ
Aug 28 at 10:28
1
CCM mode generates a keystream and XORs it with the plaintext. The keystream is based on the key and nonce, if they are fixed, the keystream is always the same. All you need to do is XOR known or chosen plaintext into the matching ciphertext to recover the keystream
– Richie Frame
Aug 29 at 0:40