Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not just that but something like AES using ECB is indistinguishable from random to the casual observer. Only when you’re aware of why ECB is bad will you understand what to look for to defeat it.


I actually have a sticker of ECB Tux[1] on my laptop to serve as a fun reminder :P

[1] https://filippo.io/images/Tux-ECB.png


In case anyone wants to create a similar reminder for a specific image, a while ago I created a small utility that does just that: https://github.com/mhe/visualmoo


This is very cool, thanks for sharing!


Which is the classic illustration that ECB is _not_ indistinguishable from random, even to a casual observer.


I think "casual observer" and "shove deliberately patterned data through the system then render it so that I can see if the patterns show through" aren't the same thing.

In the Tux data maybe 03038F12128F0303 turns into 49DC195026F3300A and that looks pretty random. It's only visible as the Tux image because every 03038F12128F0303 turns into 49DC195026F3300A, thus preserving the very bold overall pattern of the image.

If you shove a photograph of a kitten through it, that looks like noise, but Tux is made of these big bold shapes and so the resulting pattern is big enough to "show through" the ECB encryption.


You're basically implying that a casual observer would look at AES all by itself and then say things are good. And I think you're correct to imply that.

But that means that ECB isn't actually passing the smoke test, because the casual observer isn't analyzing AES+ECB. They're only analyzing AES.


These kinds of patterns are present in input data quite often - eg fixed headers, markup etc.

As usual, there’s even an xkcd on it: https://xkcd.com/1286/


I think when people say that a block cipher is indistinguishable from random they mean that for a given key k, the permutation 0 -> cipher(0, k), 1 -> cipher(1, k), ..., 2^n-1 -> cipher(2^n-1, k) where n is the block length in bits is indistinguishable from a random permutation of (0, 1, 2, ..., 2^n-1).


That’s an ok(ish) definition of indistinguishability for a block cipher, but not for a mode of operation like ECB.


Actually a casual observer can distinguish ECB from random, though they may not realize that is what they are doing. For example if you manage to compress the ciphertext -- random data should not compress by much so if you can do any significant compression on ciphertext then you are distinguishing it from random bits. ECB should be compressable if the plaintext is compressable (though probably not as well as the plaintext do to the way ECB is divided into blocks).

Recognizing that this is a problem is another matter.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: