Vulnerabilities of AES method that uses MD5 to create the key
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?
In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?
I am specifically wondering about this based on the security of the MD5 hash.
Full Code:
class AESCipher:
def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()
def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))
def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')
aes md5
New contributor
add a comment |Â
up vote
1
down vote
favorite
Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?
In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?
I am specifically wondering about this based on the security of the MD5 hash.
Full Code:
class AESCipher:
def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()
def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))
def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')
aes md5
New contributor
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
1
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
1
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?
In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?
I am specifically wondering about this based on the security of the MD5 hash.
Full Code:
class AESCipher:
def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()
def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))
def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')
aes md5
New contributor
Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?
In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?
I am specifically wondering about this based on the security of the MD5 hash.
Full Code:
class AESCipher:
def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()
def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))
def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')
aes md5
aes md5
New contributor
New contributor
edited 2 hours ago
Maarten Bodewes
48.4k568179
48.4k568179
New contributor
asked 4 hours ago
Jason Warren
61
61
New contributor
New contributor
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
1
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
1
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago
add a comment |Â
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
1
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
1
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
1
1
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
1
1
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.
However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.
MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.
If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.
Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.
However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.
MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.
If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.
Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
add a comment |Â
up vote
2
down vote
No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.
However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.
MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.
If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.
Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
add a comment |Â
up vote
2
down vote
up vote
2
down vote
No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.
However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.
MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.
If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.
Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.
No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.
However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.
MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.
If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.
Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.
edited 2 hours ago
answered 3 hours ago
Maarten Bodewes
48.4k568179
48.4k568179
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
add a comment |Â
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
â Maarten Bodewes
2 hours ago
add a comment |Â
Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.
Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.
Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.
Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62830%2fvulnerabilities-of-aes-method-that-uses-md5-to-create-the-key%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Normally, MD5 has a collusion attack. What is the usage scenario?
â kelalaka
4 hours ago
1
Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
â Ella Rose
3 hours ago
1
@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
â Maarten Bodewes
2 hours ago
@MaartenBodewes yes, Collision :)
â kelalaka
2 hours ago