in ,

iqlusioninc / aes-sid, Hacker News

iqlusioninc / aes-sid, Hacker News


Authenticated deterministic encryption for – bit integers based on the AES-CMAC-SIV construction.

Both the design and Rust implementation of this scheme have received no external review. There are properties / limits of this scheme that need to be mathematically quantified which are presently undescribed.

This scheme uses deterministic encryption which, if applied improperly (eg naive inverted search index) can lead to catastrophic failures including full plaintext recovery .

Before attempting to experiment with this scheme, please make sure to read the full threat model section and make sure the cryptographic properties of this scheme actually apply to your intended threat model.


Threat Model

AES-SID encrypts – bit values ​​as – bit values. However, if naively (mis) used as a general-purpose construction for encrypting – bit values, it can fail catastrophically (and similar constructions have in-practice, as described in the “Security Warning” section above).

) “, where attackers are able to guess the identifiers of valid Zoom channels and thus gain access to them.

These identifiers are a standard feature of all SQL databases, easily remembered, easy-to-communicate (in text or spoken form), and generally ubiquitous in many applications.

AES-SID is designed to allow developers to retrofit applications which use low-entropy auto-incrementing primary keys in such a way that they can be deterministically and reversibly mapped to 256 – bit external / “masked” values (that can be serialized as e.g. a UUID), while ensuring that the “masked” values are randomly distributed and unguessable by an attacker (with greater-than-chance success in the 256 -bit integer space, which is widely regarded as the baseline for symmetric cryptography).

One way to solve this problem is to use a (cryptographically) random UUID as a primary key instead of an auto-incrementing one. This is a perfectly valid approach, and one worth considering, but it comes at a price: UUIDs are long and high-entropy, which means they aren’t easily spoken, or even remembered or manually typed by someone who has read them.

However, if applications are already leveraging auto-incrementing integer identifiers, a migration to randomized UUIDs is potentially complex. That said, even for greenfield applications, low-cardinality auto-incrementing IDs starting at (0,1) are extremely convenient from a developer experience perspective: they're easy to remember, to type, and to speak.

For this reason, schemes for “masking” / encrypting low-entropy numerical Developers have been developed. Historically, these schemes have at least one of these two problems:

(Identifiers are malleable , providing an advantage to attackers who are Interested in guessing any valid encrypted identifier

What do you think?

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Brits to live with coronavirus restrictions until vaccine is developed which ‘could take around 18 months’ – the sun,

Brits to live with coronavirus restrictions until vaccine is developed which ‘could take around 18 months’ – the sun,

COVID-19: UAE announces 376 new coronavirus cases, 4 deaths