I need to encrypt several parameters in a request (with Java, AES(cbc), 128 BIT Key):
String toencrypt = "name+birthdate+appid+userid"
I have to assume that an attacker can guess all the values. What does this have for an impact on guessing/finding the symmetric key? Are symmetric Keys nevertheless secure even if the content that has been ciphered is known to an attacker? What is the rough estimated “factor” that this makes finding the key easier? (For example it might be 1000 faster to find the key as without the known content…)
(My question is solely on the impact of this fact that the content to be ciphered could be known to an attacker. I have, due to length restrictions, no possibility to include any “random” characters or salt etc.).
And another related question. What is the security impact if I choose for the “Initialization Vector” of the AES function the same data as used for initializing the key?
Does this have any Impact on the security?
Thank you very much!
Markus
This is called a known-plaintext attack. All decent crypto including AES is not vulnerable to it.
By definition, only the encryption key is secret. Init vector, key derivation algorithms etc. are assumed to be known. So if you use the same data for both IV and key, there’s a possibility of weakening your security. You could run the data through a cryptographically strong hash so that going from known IV to key requires reversing the hash first. But it’s even better to not use any data related to key generation for anything else at all..