Vulnerabilities of AES method that uses MD5 to create the key

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
 self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
 raw = pad(raw)
 iv = Random.new().read(AES.block_size)
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
 enc = b64decode(enc)
 iv = enc[:16]
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return unpad(cipher.decrypt(enc[16:])).decode('utf8')





aes md5







share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago















up vote
1
down vote

favorite












Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
 self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
 raw = pad(raw)
 iv = Random.new().read(AES.block_size)
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
 enc = b64decode(enc)
 iv = enc[:16]
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return unpad(cipher.decrypt(enc[16:])).decode('utf8')





aes md5







share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago













up vote
1
down vote

favorite









up vote
1
down vote

favorite











Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
 self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
 raw = pad(raw)
 iv = Random.new().read(AES.block_size)
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
 enc = b64decode(enc)
 iv = enc[:16]
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return unpad(cipher.decrypt(enc[16:])).decode('utf8')





aes md5







share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Are there security vulnerabilities given the would a user be able to access the original text and the encrypted text with AES using an MD5 as a key?



In other words, if the user had both the original and encrypted text, is it possible for the user to encrypt and decrypt their own text or an altered version of the site's text?



I am specifically wondering about this based on the security of the MD5 hash.



Full Code:



class AESCipher:

def __init__(self, key):
 self.key = md5(key.encode('utf8')).hexdigest()

def encrypt(self, raw):
 raw = pad(raw)
 iv = Random.new().read(AES.block_size)
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return b64encode(iv + cipher.encrypt(raw))

def decrypt(self, enc):
 enc = b64decode(enc)
 iv = enc[:16]
 cipher = AES.new(self.key, AES.MODE_CBC, iv)
 return unpad(cipher.decrypt(enc[16:])).decode('utf8')





aes md5




aes md5






share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 2 hours ago









Maarten Bodewes

48.4k568179




48.4k568179






New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 4 hours ago









Jason Warren

61




61




New contributor




Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Jason Warren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago

















  • Normally, MD5 has a collusion attack. What is the usage scenario?
    – kelalaka
    4 hours ago






  • 1




    Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
    – Ella Rose
    3 hours ago






  • 1




    @kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
    – Maarten Bodewes
    2 hours ago










  • @MaartenBodewes yes, Collision :)
    – kelalaka
    2 hours ago
















Normally, MD5 has a collusion attack. What is the usage scenario?
– kelalaka
4 hours ago




Normally, MD5 has a collusion attack. What is the usage scenario?
– kelalaka
4 hours ago




1




1




Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
– Ella Rose
3 hours ago




Why apply md5 to the key at all? If the key is a proper random string, there is no benefit. If the "key" passed to init is a password, then applying md5 to it is definitely a weakness.
– Ella Rose
3 hours ago




1




1




@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
– Maarten Bodewes
2 hours ago




@kelalaka Did you mean collision or collusion? The collision attack can be used for a collusion attack, but I think you meant collision :)
– Maarten Bodewes
2 hours ago












@MaartenBodewes yes, Collision :)
– kelalaka
2 hours ago





@MaartenBodewes yes, Collision :)
– kelalaka
2 hours ago











1 Answer
1






active

oldest

votes

















up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.



MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.



Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago











Your Answer




StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62830%2fvulnerabilities-of-aes-method-that-uses-md5-to-create-the-key%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.



MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.



Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago















up vote
2
down vote













No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.



MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.



Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer






















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago













up vote
2
down vote










up vote
2
down vote









No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.



MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.



Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.






share|improve this answer














No, if the input key has enough entropy then using an MD5 hash will not reduce the security of AES. And AES protects the retrieval of the key from any combination of plaintext and ciphertext. MD5 can be seen as a poor man's (Key Based) Key Derivation Function or KDF which extracts (compresses) the entropy found in the input key material.



However, a lot of times MD5 is used instead of a Password Based Key Derivation Function or PBKDF (bcrypt, scrypt, PBKDF2 and the newer Argon2 variants are well known PBKDF's). If the input is a password or text then it is likely that a low amount of entropy is present. In that case it is easy to guess the input of MD5. The resulting AES key may seem secure and randomized, but the adversary may guess the input - for instance by using a dictionary attack - and perform the MD5 calculation to retrieve the AES key.



MD5 has been broken and the usage of MD5 is a red flag, often indicating that the developer hasn't got a clue about cryptography. This is true regardless if MD5 is used in a secure setting or not. The use of MD5 is often not by design, but because the developer copied another bad example of cryptography. In your case, the MD5 hash is hex encoded and then used as 256 bit key. Although using 128 bits (max) of entropy as 256 bit key doesn't break AES in practice, it does show that the developer wasn't a cryptographer himself.



If the quality is that bad, you can almost be certain that other errors have been made. In your example code, CBC mode could be used directly to achieve transport security, making padding oracle attacks a distinct possibility.



Please learn at least the basics of encoding and cryptography. Whatever you do, don't use self-made protocols like the one in your question. Try and use higher level frameworks or transport protocols such as TLS instead. You have been warned - and it is good you asked.







share|improve this answer














share|improve this answer



share|improve this answer








edited 2 hours ago

























answered 3 hours ago









Maarten Bodewes

48.4k568179




48.4k568179











  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago

















  • Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
    – Maarten Bodewes
    2 hours ago
















Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
– Maarten Bodewes
2 hours ago





Reducing AES-256 to 128 bit security would definitely count as a rather serious break of the block cipher. However, having 128 bit security is still plenty until quantum computers can use Grover's algorithm for these kind of keys. Hence "in practice".
– Maarten Bodewes
2 hours ago











Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.












Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.











Jason Warren is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62830%2fvulnerabilities-of-aes-method-that-uses-md5-to-create-the-key%23new-answer', 'question_page');

);

Post as a guest
































































Comments

Post a Comment

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

Image
Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 31 down vote favorite 4 I hold a PhD in mechanical engineering with a 7 year background in self-guided, self-paced research including 2 years as a graduate level course instructor and a subject matter expert for various engineering projects in a university setting in the United States. For the last 10-11 months, I am working in a research industry in France where my task is to debug C++ spaghetti code written over a period of several years by my current supervisor. It is a team of 2: just I and my supervisor. Diurnally, I am posed with a "bug of the day" to get out of this C++ code. My supervisor generally gives me about 15-30 minutes to solve it and then accosts me about whether or not the task is completed and then rinses and repeats this until the end of the day. Off-late, my supervisor has been holding 6-7 hour long "meetin
Read more

Is the Concept of Multiple Fantasy Races Scientifically Flawed? [closed]

Image
Clash Royale CLAN TAG #URR8PPP up vote 2 down vote favorite Many fantasy worlds have multiple humanoid species (elves, orcs, humans, etc) living in the same world, in addition to that, they often have the ability to interbreed. And I can't help but question their believability... fantasy-races reproduction interspecies-relations share | improve this question edited Aug 9 at 14:46 Michael Kjörling ♦ 21.1k 10 85 161 asked Aug 9 at 13:13 Chlodio 118 6 closed as unclear what you're asking by MichaelK, Gryphon, John, Vincent, Frostfyre Aug 9 at 15:25 Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question. 3 Stack Exchange exist to
Read more

Confectionery

Image
Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of
Read more