0

I am new here and not an cryptography expert; but I have been using encryption library for a while. My company is working on a small hardware device. It is powered by a microcontroller so memory is an issue we have to deal with. So we decided to come up with our encryption scheme when sending messages to the devices. This is what we are planning to do.

  1. Key distribution is not an issue as we physically update the shared secret almost everyday and it is not stored on the device itself.
  2. For encryption key. The shared secret is concatenated with a very large true random number (used as IV), then a hash function is applied x number of times to obtain a fixed length key for the first block of data.
  3. To encrypt subsequent block of data, a new vector is derived by the block number and the IV. A new key is then generated like in 2 just for this block of data. Hence every block of data has its own key.
  4. We know some hash functions are expensive, but speed is not an issue here since the device is slow to begin with.

So this is what we have come up with and we will appreciate your comments.

Edit: After more research. I found that what I described is just CTR mode here? So I will go with an existing implementation. Any recommendation on a library? I also heard some people said they had encountered cross platform issues between iOS and Android. Any comment on this?

user2600798
  • 175
  • 1
  • 6
  • 5
    I'm voting to close this question as off-topic because it belongs on [Crypto StackExchange](http://crypto.stackexchange.com/) (but that's not a listed migration choice; it should be once it [leaves beta](http://meta.security.stackexchange.com/questions/1292/vote-to-close-migrate-to-crypto-se)!). And whether it's here or there, the answer is going to be "don't roll your own crypto." Surely vetted crypto algorithms exist for the broad niche of limited hardware endpoint! – gowenfawr Apr 24 '15 at 14:15
  • See also [Is there any recent cryptographic algorithm especially designed for low-level processors?](http://crypto.stackexchange.com/questions/3278/is-there-any-recent-cryptographic-algorithm-especially-designed-for-low-level-pr) – gowenfawr Apr 24 '15 at 14:20
  • @gowenfawr It's not listed because it's beta; once it graduates I assume it'll be listed. – cpast Apr 24 '15 at 14:20
  • Thanks @cpast, I actually found that as I was searching for the appropriate method for recommending a site be added to the migration list :) :) :) – gowenfawr Apr 24 '15 at 14:22

3 Answers3

6

Well, for one, the description of your scheme is not a scheme description. This is just a collection of vague intents. The description of a cryptographic scheme must be such that by reading the description alone, I could write an independent implementation that interoperates with yours. A good description looks like this. Or that.

Also, in your description, you don't actually say how you, you know, encrypt things. You seem to allude to some key derivation scheme from which you obtain "vectors" that appear to depend on the shared secret, but not on the data itself. What these vectors do, and how the data is encrypted and decrypted, is unclear.

In any case, designing your own cryptographic algorithm is a bad idea for the main reason that it is extremely hard to come up with a secure algorithm. Most of the training in cryptography consists in understanding just that: making a secure algorithm is a hard endeavour. The conceptual reason for that is that there is no test for security. The best we can do is to write down a complete and detailed specification (including a reference implementation, test vectors, and a heavy rationale for why it might be secure) and then submit that to a bunch of cryptographers and let them try to find flaws. It takes dozens of cryptographers, and several years of effort. This is why that kind of job is done through organized "competitions" like it was done for the AES.

A ten-line question on security.SE cannot be considered to be a reasonable alternative.

Moreover, most situations that warrant encryption (to ensure data confidentiality) also need something to guarantee integrity, because attackers are evil, don't play "by the rules", and may try to alter the data in transit, possibly to learn things about the data and keys based on how the systems behave when facing the altered data. Integrity is obtained through the use of a MAC. Combining encryption and a MAC securely is harder than it looks, so, there again, it is a job for competition-powered cryptographers (usual recommended solutions are GCM and EAX, but there is, indeed, an ongoing competition to get something better).

And when you have a good protocol (a secure assembly of secure algorithms) that should fulfil your needs, then you are not done yet; you must still get an implementation that is correct, robust, efficient, and (crucially) does not leak information. Side-channel attacks can be particularly deadly for careless code in embedded systems. There again, this is a matter of science and also a lot of skill, that cannot be improvised.

To sum up, you are in need for, at least, some serious help from a professional cryptographer (no, I am not for hire at the moment). Unless you are in a case where the data you want to protect is uninteresting, which ensures ultimate security: nothing protects data more than making the data so boring and useless that nobody actually bothers to try to access it.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
2

Generally, the best two rules governing encryption scheme creation when seeking reliable security and not just "folklore security" are:

Rule 1: Usually you do not need to run your own crypto

Rule 2: If you need to run your own crypto, immediately refer to rule 1.

If at last, for some reasons, you so need to run own crypto that it overwhelms the two above rules, then get professional assistance for this. It might be expensive, but cryptography is a complex matter which requires high technical knowledge and this comes at a price.

This quotation from Bruce Schneier is always a good thing to remember: "Anyone can invent an encryption algorithm they themselves can't break; it's much harder to invent one that no one else can break".

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
0

Is this based on some existing scheme. if so what?

I can't be sure at all how hard your scheme would be to break from your description.

As a rule of thumb rolling your own code rather than using existing libraries is generally discouraged since your odds of making mistakes are high.

Trying to invent your own algorithm is much worse and is almost universally a bad idea. It is almost certain to be insecure if this is a scheme you've just invented yourself.

There are libraries available for very memory-limited devices, there's even crypto libraries available for arduino. If security is actually important try to use an existing library.

Murphy
  • 2,175
  • 1
  • 9
  • 10