encryption – Which cipher block mode is most secure?

Stack Exchange Network


Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Visit Stack Exchange

disk encryption – Can I safely disable and re-enable Secure Boot when Bitlocker is used in order to make a Forensic Image?

I am about to make a forensic image (using dc3dd from OSFClone) of a laptop and in this specific case I’d like to startup using an bootable USB stick with OSFClone and image the disk to an external disk. The laptop in this case used Bitlocker with (I suspect) a TPM 2 chip. I did receive a Bitlocker recovery key for this laptop but I cannot be 100% sure that the recovery key is correct. I did also receive a local Windows Administrator user which I could use to boot and login to Windows and check the recovery keys but I rather don’t want to boot the machine into Windows at all.

My plan is to (temporarily) disable Secure Boot, boot from the OSFClone USB and make a forensic image to an external disk. After that I want to re-enable Secure Boot again. I wonder if Bitlocker will prompt to enter a Recovery Key in this case when booting normally again? Or will it boot straight into Windows (after re-enabling) like nothing has happened?

It’s an option if I have to enter the Bitlocker recovery key once after imaging and boot into Windows. But I rather don’t boot into Windows and as I said I cannot be 100% sure the recovery key I’ve received is correct.

Lastly, what happens if I do (accidentally) boot into Windows before re-enabling Secure Boot, does re-enabling Secure Boot change back the old behavior (no recovery key required) or did it then save that one “unsecure boot” state and prompt it anyway till a recovery key is entered.

Also in this case I am not sure if OSFClone will image the unencrypted disk (which I suspect in case of a SED disk with TPM-only, as it should unlock when the machine with TPM and disk power on) or will I only manage to image the encrypted disk (which I suspect when SED and/or TPM is not used). Either way, the forensic processing software we use (Intella by Vound-Software) should be able to handle Bitlocker encrypted images when the recovery key is supplied but I rather want to understand exactly how it works and if my understanding of this matter is correct.

encryption – Use the public key of a certificate as the key for HMAC SHA

TL;DR: “Using a public key as a secret key is not a good idea. – MechMK1″


I think you’re mis-understanding how certificates work.

which will be deployed with private / public key on all workstations. So all the stations have the same certificate and therefore the same public and private key.

It’s not really “private” if every employee in your company has a copy of it. Non-exportable helps, but you should really be issuing a unique certificate to each device; imagine the mess you’ll be in if one of your devices is stolen / hacked and you need to revoke the certificate!


Is it possible, correct and secure to use the raw public key of the certificate (as a string) as the HMAC-SHA256 password?

Remember that public keys are intended to be public. Even if you are intending to treat them as a super-secret value, there is no guarantee that all of the software that touches them will. Two examples:

  • When a publicly-trusted CA issues a cert, they log it to public Certificate Transparency servers. For example, here is the CT logs for all *.stackexchange.com certificates, notice how many dev., qa. and test. certs there are in that list? By clicking into any of those, you can get the public key. If your certs came from a public CA, then I’ll bet you can find them on crt.sh as well. This is not a problem because publicly-trusted certs are intended to be public in all aspects except the private key.
  • When establishing a TLS connection, the certificate (and public key within it) is sent un-encrypted over the internet (and it has to be this way because that’s how you establish the encrypted channel).

Never assume that your certificates will be a secret.


So your question “Is it ok to use a public value as a password?” is a bit like “Is it ok to use my name as my banking password?; no, no it’s not.

Sounds like you need to figure out a different way of (securely) distributing an HMAC key to your apps.

encryption – How are passwords stored in the database of a decentralized peer to peer system?

I want to use username and password instead of public key cryptography for a decentralized peer-to-peer application, but since the passwords are stored on users’ computers, there is a possibility of being stolen. How do I store the passwords securely?

And how do I give permission safely? How can I prevent someone else from gaining permission unfairly?

security – Fiio m7 (Android Audio Player) full disk encryption and control internal storage access only when logged in Android 7.0

i have an android music player that uses a custom firmware of android 7.0. There isn’t a full disk encryption option shown, so i do not know what i should do to encrypt it. Also, it lets people access the internal storage when it is locked, which isn’t secure, and i am looking to make the device ask the user if the connected device is trustworthy when the device is unlocked. It currently does not have to be unlocked and will let anyone access internal storage.

aes – Which encryption technique should be adopted to keep the search functionalities?

I am in exactly the same situation as described in this post. I must be able to encrypt data from a client workstation then send it to an untrusted server (encrypted at rest), then decrypt it only on the same client workstation. However, the client must be able to continue to do “encrypted” searches based on the cypher text.

AES CBC seems to need a unique IV for each encryption, so I can’t use this technique. And all others, CGM, … and even the asymmetric RSA encryption have the same behavior with a padding which means that the cypher text is never the same for the same plain text …

It seems that only AES ECB can produce the same cypher text. The important point in my case is that the data that I have to encrypt is all in the format string max 1000 char and also that I have to protect this data from the hoster (at rest), there is no risk the In Transit and the data are not exhibited on the internet. I don’t know if I can rely on ECB…

So I ask the question again because 5 years have passed since that post, there may be other options? Can you advise me which technique to use being quite secure and ensuring the non-brute forcing and with which I can continue to search (on cypher text). Can I use AES CBC with the same IV? Can I use AES ECB (256)? Others?

encryption – Does knowing part of a passphrase for sure really mean that you can “disregard” that entire part when trying to crack it?

Alice bought 1 Bitcoin and encrypted her wallet.dat in Bitcoin Core.

Samantha, Alice’s friend, notices the Bitcoin price skyrocketing and, while Alice is in the bathroom, steals Alice’s wallet.dat as well as important.txt and goes home.

There she discovers that it’s passphrase-protected, so she cannot transfer the coin away to her own wallet.

Alice opens important.txt and discovers this:

Never delete the following!!!
Bitcoin passphrase: "ck3C83jcdldkj3isDkj2m3Db3ducMJm3wb3kdkxckDksk2kw54956848dkDkdkewj54t" + first_pet_nickname + house_number_for_second_temporary_house + guy_in_first_grade_i_had_a_crush_on + favorite_brand_of_cakes (all lowercase letters)

In other words, Alice has written down part of the passphrase with the rest being things that Samantha possibly could guess or brute-force.

My question is: assuming that she can’t just guess the unknown parts, and has to brute-force it, does the sheer length of the known part pose any kind of extra hurdle?

That is, has the passphrase just turned into simply first_pet_nickname + house_number_for_second_temporary_house + guy_in_first_grade_i_had_a_crush_on + favorite_brand_of_cakes? Since the first string is known, does that mean it “doesn’t exist” as far as brute-force time/resources needed? Or will this add significantly to the slowness of the brute-forcing because it has to do different (more complex) calculations with the long string as compared to without it?

Hybrid encryption – File Encryption using AES and RSA

Do you have any source code that related to file encryption application using AES and RSA?

rsa – How do I take advantage of a specfic user’s attributes to generate an encryption key pair on the fly to encrypt a file?

Suppose I have the following 3 files with content:

file1.txt:

This is file1.txt.  It is labeled red. 

file2.txt:

This is file2.txt.  It is labeled green. 

file3.txt:

This is file3.txt.  It is labeled blue. 

Suppose these 3 files are stored on my linux file system at:

/home/shared

Finally, suppose I have 3 users who can login to this linux machine:

user1 (should only see files labeled red)
user2 (should only see files labeled green)
user3 (should only see files labeled blue)

How can I use the RSA encryption scheme to generate unique private keys for user1, user2, and user3 such that they can see the files they can decrypt the files they are supposed to see but not the ones they should not see?

Put another way, how can I generate a key pair (public/private) so that user1 can can encrypt red-labeled files and users 2 and 3 cannot decrypt file1.txt?

cryptography – The risk of RSA encryption. Would individually encoded character be risky?

I’m assuming you mean that each character is individually encrypted, and you get the ciphertexts and public key(s) used to encrypt the characters.

The main consideration would be whether the encryptions were performed with padding, such as OAEP. The importance of padding is well established for most cases. In particular, for this scenario, the critical weakness is the determinism of the output – unpadded RSA produces a deterministic output for a given input and key – which can be used to trivially brute-force small messages. The algorithm is simple:

  1. Attacker takes the supplied public key and uses it to encrypt every possible (or even just every likely) character, individually.
  2. Attacker compares each resulting ciphertext with the supplied ciphertext. If they match, the attacker knows what character produced that ciphertext and thus has “decrypted” the message.
  3. Repeat for each (ciphertext, public key) pair that you have until you’ve “decrypted” everything.

If the messages are padded correctly, this attack is not possible. In that case, there is not (AFAIK) any reason this scheme wouldn’t work.

Of course, RSA with secure key sizes is painfully slow, and using it for a large number of tiny messages is absurdly wasteful. In any realistic scenario, you would either encrypt the full message with the key (if it’s short enough to do so in one “block”), or use a hybrid cryptosystem where the message is encrypted using a symmetric cipher, and the symmetric cipher’s key is encrypted using an asymmetric cipher such as RSA.