Vulnerabilities of AES method that uses MD5 to create the key

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')









share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago















up vote
1
down vote

favorite












Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')









share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago













up vote
1
down vote

favorite









up vote
1
down vote

favorite











Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')









share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
enc = b64decode(enc)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return unpad(cipher.decrypt(enc[16:])).decode('utf8')






aes md5






share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 2 hours ago









Maarten Bodewes

48.4k568179




48.4k568179






New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Jason Warren

61




61




New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago

















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago
















Normally, MD5 has a collusion attack. What is the usage scenario?
– kelalaka
4 hours ago




Normally, MD5 has a collusion attack. What is the usage scenario?
– kelalaka
4 hours ago




1




1




Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
– Ella Rose
3 hours ago




Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
– Ella Rose
3 hours ago




1




1




@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
– Maarten Bodewes
2 hours ago




@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
– Maarten Bodewes
2 hours ago












@MaartenBodewes yes, Collision :)
– kelalaka
2 hours ago





@MaartenBodewes yes, Collision :)
– kelalaka
2 hours ago











1 Answer
1






active

oldest

votes

















up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.




MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.




Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago











Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62830%2fvulnerabilities-of-aes-method-that-uses-md5-to-create-the-key%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.




MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.




Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago















up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.




MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.




Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago













up vote
2
down vote










up vote
2
down vote









No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.




MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.




Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer














No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.




MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.




Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.







share|improve this answer














share|improve this answer



share|improve this answer








edited 2 hours ago

























answered 3 hours ago









Maarten Bodewes

48.4k568179




48.4k568179











  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago

















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago
















Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
– Maarten Bodewes
2 hours ago





Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
– Maarten Bodewes
2 hours ago











Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.












Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.











Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62830%2fvulnerabilities-of-aes-method-that-uses-md5-to-create-the-key%23new-answer', 'question_page');

);

Post as a guest













































































Comments

Popular posts from this blog

What does second last employer means? [closed]

Installing NextGIS Connect into QGIS 3?

One-line joke