-2

We want to design a symmetric encryption scheme. Note that the following things are true for our system:

  1. The plaintext P will change every time for a given user.
  2. A user will choose a password which may remain same for their lifetime
  3. A 256-bit key K is derived by hashing the user's password(using SHA256).
  4. We will need to encrypt plaintexts multiple times. However, it is guaranteed that each time, the plaintext will be different
  5. Plaintext is guaranteed to be 256-bit.
  6. Plaintext will be generated internally in the system and no one can access it.
  7. Ciphertext will be in public domain. So a user in possession of password can derive plaintext.

If we use XOR-Cipher (C = P ^ K and P = C ^ K), is this system secure. Our alternative is to use AES or chacha20-poly1305. Will any of those offer any advantage over the XOR-Cipher scheme?

PS. We'll be using checksum(SHA of plaintext) in the xor-based system for integrity (as chacha-poly has MAC).

Orwell
  • 11
  • 3

2 Answers2

1

This appears to be a one time pad cipher, turned into a multi time pad cipher, as the key remains the same for every different plaintext that is entered. This is a broken construction then - look at the "Use and Security" tab of your wiki link.

If AES for example is used, say CTR mode, using a counter, then it is secure, as long as the counter never repeats - basically becomes multi pad again.

For integrity checking, use a HMAC or similar with the key being the hash of the AES key, or with some HKDF extract and expand system. The problem with using just a hash is if someone changes the ciphertext, then they can recompute the hash and change it, so the integrity is broken.

SamG101
  • 633
  • 4
  • 12
0

The system is either insecure or horribly insecure.

When using Xor, an attacker with two ciphertexts can xor them, eliminating the key and getting the Xor of two plaintexts.

You said plaintexts are all distinct and 256 bits, if they are chosen uniformly at random, getting the XOR of two of them is obviously not desireable but doesn't immidiately reveal the plaintexts.

If even one plaintext is revealed, it reveals all others for same key, if part of one plaintext is revealed it reveals matching part in all others.

If the plaintexts are low entropy, guessable, have some structure. E.g are at partly in human language. Xor of pairs of plaintext trivially reveal the plain texts and key.

Even if you use, a strong cipher, e.g AES CTR. your key derivation is weak and allows for efficient brute forcing of passwords. A general purpose hashing function makes for poor password based key derivation. Use something suitable, e.g: PBKDF2, bcrypt, scrypt or argon2 These slow down brute forcing. Remember user chosen passwords are not high entropy.

Meir Maor
  • 12,053
  • 1
  • 24
  • 55