On 17/04/12 15:31, MauMau wrote:
Hello, Edward, Jakob, Ken,
Thanks for lots of ideas and information. I'll investigate Edward's
block-number-based iv and Ken's CTR mode. Let me consult you if I get
stuck again. I'll consider some way to eliminate the need to call
EVP_EncryptInit_ex/EVP_DecryptInit_ex for each block/record.
Regards
MauMau
I would second Ken's recommendation for CTR mode for random access if
the random access is for *read* only.
If you are going to try and use CBC mode for random (read) access then
the IV must be set to the last 16 bytes of the immediately preceding 4k
record...or the initial IV if it is the first 4k record. This is why in
your example code you got wrong data for block2.
However in your original post you said "File type 1 consists of 4 KB
blocks. The application randomly reads and writes those blocks. ". If
you are going to attempt to randomly change, write and re-encrypt a
record in the middle of your file then this will absolutely not work in
CBC mode. You will corrupt everything in your file beyond the write
because as noted above the last 16 bytes of the record you have just
written is the IV for the next record. As you have changed the last 16
bytes by reencrypting you will not be able to decrypt the following record.
If you attempt to use CTR mode in random read/write mode then this will
open a massive security hole in your application. In CTR mode the
counter is initialised to a random value and then incremented for each
16 byte block. The encryption works by encrypting the counter and
xor'ing it to the plaintext. So if the plaintext for block 7 is m7, then
the ciphertext, c7, is calculated as follows:
c7 = AES(ctr + 7) xor m7
Now if you modify m7 to be m7' then c7' would be:
c7' = AEX(ctr +7) xor m7'
The problem is that an attacker can xor the two ciphertexts together as
follows:
c7 xor c7' = AES(ctr + 7) xor AEX(ctr + 7) xor m7 xor m7' = m7 xor m7'
In other words xoring the original block 7 with the modified block 7
will be equal to the two plaintexts xored together....which is trivial
to crack.
If I have interpreted your original post correctly and you are trying to
do random read/write then you need to select a mode that supports it.
(Maybe XTS??? I'm not familiar with the details of this but probably
worth looking at).
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
