Can I get AES CBC key from known plaintext, ciphertext, iv?



  • Long story short: I was using AES CBC PKCS5 on my image server, but I lost my keys (one key per image).

    I know the first 61 bytes (the original and the encrypted) of each image plus I know the IV, and the key length is 256. My question is that can I compute the key from these things?



  • AES is a state-of-the-art, well designed block cipher generally assumed to be and modeled as a pseudo-random permutation. Which means in CBC mode it is resistant to known plain text attack and if IV is unpredictable for next cipher text, it is considered indistinguishable under chosen plaintext attack (unless there is some mathematical breakthrough in finding flaws in its design).

    Modern ciphers are built with much higher security goals in mind so anything vulnerable to key-recovery under known plaintext attack would not be even considered. They are built to resist more powerful adversaries (capable of performing chosen plaintext or chosen ciphertext attacks) with much seemingly meager goals compared to key recovery like decrypting one cipher text or even just simply being able to tell which of the two plaintexts of attacker's choice was encrypted into some given ciphertext with notably better probability than random guess (something I talked about earlier).

    On a side note unauthenticated CBC is not secure under chosen ciphertext attacks and is vulnerable to bit flipping and may be vulnerable to padding oracle attacks in some implementations. Both and IV and ciphertext must be authenticated with a secure MAC if you need to use CBC mode at all.



Suggested Topics