How to Implement Deterministic Encryption Safely in .NETUsing HMAC as a nonce with AES-CTR encrypt-and-MACWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageCan I Achieve Deterministic Encryption Using AES-GCM with Nonce = HMAC [ message ]Deterministic nonces in CTR modeWhich gives better deterministic encryption SIV or Plain ECB mode?Security of this deterministic encryption scheme(Re-)Using deterministic IV in CTR mode / How to: deterministic AESWhy is synthetic IV (SIV) mode considered deterministic authenticated encryption (DAE)?Deterministic encryption for a limited space: using HMAC as IVIs deterministic encryption appropriate for low entropy plaintext when CPA is not a concern?Are there any misuse-resistant asymmetric encryption schemes?What Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic Authenticated Encryption with AES-OFB and HMAC
How to remove border from elements in the last row?
How exploitable/balanced is this homebrew spell: Spell Permanency?
Avoiding the "not like other girls" trope?
Is it possible to create a QR code using text?
Could the museum Saturn V's be refitted for one more flight?
OP Amp not amplifying audio signal
Why was Sir Cadogan fired?
Is it a bad idea to plug the other end of ESD strap to wall ground?
Theorists sure want true answers to this!
How can saying a song's name be a copyright violation?
Is it possible to map the firing of neurons in the human brain so as to stimulate artificial memories in someone else?
How could indestructible materials be used in power generation?
How to install cross-compiler on Ubuntu 18.04?
Getting extremely large arrows with tikzcd
Night of Shab e Meraj
What are the G forces leaving Earth orbit?
How to prevent "they're falling in love" trope
how do we prove that a sum of two periods is still a period?
GFCI outlets - can they be repaired? Are they really needed at the end of a circuit?
How to show a landlord what we have in savings?
One verb to replace 'be a member of' a club
Do Iron Man suits sport waste management systems?
Can someone clarify Hamming's notion of important problems in relation to modern academia?
What is required to make GPS signals available indoors?
How to Implement Deterministic Encryption Safely in .NET
Using HMAC as a nonce with AES-CTR encrypt-and-MACWhat Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageCan I Achieve Deterministic Encryption Using AES-GCM with Nonce = HMAC [ message ]Deterministic nonces in CTR modeWhich gives better deterministic encryption SIV or Plain ECB mode?Security of this deterministic encryption scheme(Re-)Using deterministic IV in CTR mode / How to: deterministic AESWhy is synthetic IV (SIV) mode considered deterministic authenticated encryption (DAE)?Deterministic encryption for a limited space: using HMAC as IVIs deterministic encryption appropriate for low entropy plaintext when CPA is not a concern?Are there any misuse-resistant asymmetric encryption schemes?What Are the Risks of AES-GCM [Key, Nonce, Message] where Nonce = MessageDeterministic Authenticated Encryption with AES-OFB and HMAC
$begingroup$
I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.
In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.
Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?
This post is a continuation of a previous post.
My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].
Thank you!
ctr nonce deterministic-encryption siv
edited 2 days ago
kelalaka
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.
In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.
Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?
This post is a continuation of a previous post.
My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].
Thank you!
ctr nonce deterministic-encryption siv
edited 2 days ago
kelalaka
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
add a comment |
$begingroup$
I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.
In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.
Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?
This post is a continuation of a previous post.
My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].
Thank you!
ctr nonce deterministic-encryption siv
edited 2 days ago
kelalaka
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
I am trying to implement a deterministic encryption scheme in .NET. This link suggests I use AES-SIV mode encryption. An alternative is to use AES-CTR [ k1, nonce, message] mode with HMAC[ k2, message] as the nonce. This is effectively the same as AES-SIV.
In .NET, there is no implementation of AES-SIV. AES-CTR mode is also not available in .NET. The only .NET compatible library which implements AES-SIV I can find is Miscreant .NET. This is not FIPS validated.
Does anyone have any suggestions on how to implement a deterministic encryption scheme in .NET?
This post is a continuation of a previous post.
My Project: I have several bankers who will send the balance information for thousands of bank accounts to a server. The account numbers will be encrypted using this scheme prior to sending to the server for security purposes. The server deliberately will not have the private key [I'm setting up a zero-knowledge encryption scheme]. On the client side, Banker1 and Banker2 must be able to encrypt the account number in a deterministic way that allows any Banker to decrypt account numbers returned from the server. For this reason, I decided to use HMAC(message) as the nonce for my encryption scheme and append it to the ciphertext. AES-CTR[ k1, nonce, message] || HMAC[ k2, message] where nonce = HMAC[ k2, message].
Thank you!
ctr nonce deterministic-encryption siv
ctr nonce deterministic-encryption siv
edited 2 days ago
kelalaka
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
kelalaka
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
kelalaka
8,60522351
edited 2 days ago
kelalaka
8,60522351
edited 2 days ago
kelalaka
8,60522351
8,60522351
asked 2 days ago
user67091user67091
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
user67091user67091
211
asked 2 days ago
user67091user67091
211
211
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user67091 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
$begingroup$
You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:
HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.
HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.
Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.
AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.
Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.
Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.
Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.
In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
$endgroup$
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
user67091 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68443%2fhow-to-implement-deterministic-encryption-safely-in-net%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:
HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.
HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.
Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.
AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.
Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.
Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.
Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.
In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
$endgroup$
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
add a comment |
$begingroup$
You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:
HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.
HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.
Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.
AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.
Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.
Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.
Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.
In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
$endgroup$
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
add a comment |
$begingroup$
You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:
HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.
HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.
Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.
AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.
Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.
Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.
Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.
In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
$endgroup$
You can safely use HMAC-SHA256 instead of the SIV mode custom PRF to derive the nonce/authentication tag. There's some caveats:
HMAC-SHA256 gives a 256-bit output; you'll have to truncate it to the nonce size.
HMAC-SHA256 takes in a single bit string, so it can't distinguish the boundary between a header (unencrypted associated data) and payload (encrypted message); the SIV mode custom PRF is defined on a tuple of bit strings. So make sure that if you compute HMAC over more than just a ciphertext, you uniquely encode the tuple of $(a, c)$ as a bit string you pass to HMAC-SHA256.
Beware limits on total volume of data for AES-SIV or similar! For example, if your ‘AES-CTR’ takes a 96-bit nonce (as AES-GCM uses), you must limit your total volume of data to well below $2^48$ messages, so that there is no danger of nonce collision. For example, you might limit it to a billion messages, $2^30$.
AES-SIV internally uses $operatornameAES_k(n) mathbin| operatornameAES_k(n + 1) mathbin| operatornameAES_k(n + 2) mathbin| cdots$ with a 128-bit nonce $n$, instead of what is usually meant by AES-CTR, which is $operatornameAES_k(n mathbin| 0) mathbin| operatornameAES_k(n mathbin| 1) mathbin| operatornameAES_k(n mathbin| 2) mathbin| cdots$ with a (say) 96-bit nonce $n$ and 32-bit block counter like AES-GCM uses. The details don't matter that much as long as you pay close attention to the advertised adversary advantage and data volume limits.
Make sure to write known-answer test vectors for the system you think you're implementing, using another tool or another library, so that you can do quick self-tests to confirm interoperability.
Avoid the term ‘zero-knowledge’ unless you're actually doing cryptography involving zero-knowledge proofs, which are a specific technical concept involving provers, verifiers, extractors, and simulators. Saying ‘zero-knowledge encryption’ proudly announces that you have more money for a marketing department than for a cryptography engineering department.
Even if you encrypt identifiers, there's lots of information to be learned from network structures and databases with ‘anonymized’ (really, pseudonymized) identifiers. So ‘zero-knowledge’ is especially inappropriate here if you're only concealing the labels, not the structure of the database.
In this scenario, I would advise you to either (a) persuade your management to invest more money in cryptography engineering including hiring competent implementors and auditors, or (b) start polishing your CV, because this job is doomed. This is not a comment on your value or intelligence as a person! Obviously you're working hard to learn. But it is not confidence-inspiring to hear that your management are tasking someone who has to ask a pseudonymous forum of strangers on the internet for help with cryptographic basics in order to handle private banking information for thousands of clients over the internet.
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
edited 2 days ago
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
answered 2 days ago
Squeamish OssifrageSqueamish Ossifrage
22k132100
22k132100
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
add a comment |
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
1.) I'll truncate the nonce size appropriately. I was aware of this need. 2.) I will never approach 2^30 accounts. My limits will be between ~1M - 10M. 3.) I will bear this in mind once I test. I will also hire a consultant for testing. 4.) There is a file encryption service known as BoxCryptor that labels itself a 'Zero Knowledge Provider'. This may be false advertising but my system is similar to theirs. I will be safe not to over-advertise what we offer, though. I'm an entrepreneur without a budget. I admit encryption is difficult but not impossible thanks to this forum.
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
$begingroup$
Any advice on how to implement the above within .NET given SIV is not implemented and CTR mode is not available within the System.Security.Cryptography namespace?
$endgroup$
– user67091
2 days ago
1
1
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Boxcryptor appears to have more money for marketing than cryptography. They're abusing the term ‘zero-knowledge’. Their technical overview doesn't even mention authenticating data, which suggests they really don't know what they're doing. They are also apparently too embarrassed at their own security to share source code. They seem to respond with weasel words and deflection when confronted about audits.
$endgroup$
– Squeamish Ossifrage
2 days ago
1
1
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
I missed the sentence where you said you don't even have AES-CTR. In principle you could use an alternative like AES-CBC (make sure to pad then MAC then encrypt here, and decrypt then verify then unpad) or AES-OFB instead of AES-CTR. But you're in over your head here. You need to find someone who is experienced in cryptography engineering for your startup. It's one thing to use this site to learn about little questions at a time; it's quite another to build the foundation of a product that people might rely on for banking privacy as an exercise in learning cryptography basics.
$endgroup$
– Squeamish Ossifrage
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
$begingroup$
Thanks for your help! I understand your concerns. I spend 2 - 3 hours each night after work to finish this product and can see many obstacles. I'm pushed forward by words from Bill Gates who said most people over-estimate what they can accomplish in a few months but underestimate what they can accomplish in a year. Elon Musk was also discouraged by others given his lack of experience not to say I'm Elon Musk. You helped me on my original post where I concluded there was no answer. With perseverance, however, I found the solution we are discussing now. Onwards, I say. I'm no quitter.
$endgroup$
– user67091
2 days ago
add a comment |
user67091 is a new contributor. Be nice, and check out our Code of Conduct.
user67091 is a new contributor. Be nice, and check out our Code of Conduct.
user67091 is a new contributor. Be nice, and check out our Code of Conduct.
user67091 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68443%2fhow-to-implement-deterministic-encryption-safely-in-net%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
