
Ask HN: How do computers 'know' when they've used the right encryption key? - jc_811
Probably a newb question, but security &amp; encryption really interest me.<p>In this example say I encrypt the word &quot;Coffee&quot; and after encrypting it I send it through cyberspace as &quot;37fbFFJKEBF79fdgueG&quot;<p>So if a malicious attacker tries to crack this by pure brute force, each time they use the &#x27;wrong&#x27; key they still get a value back - correct? So if they use the wrong key they will continue to get gibberish until they use the correct key and get the word &quot;Coffee&quot;<p>My question is, how does the hacker (or the computer) know when they&#x27;ve guessed correctly and differentiate between the gibberish &amp; the real data? Does the data return an &#x27;error&#x27; if you try to crack it using the wrong key? If not, how do they know when they have guessed correctly and cracked it?
======
tptacek
This is a good question that can get a little deep.

The short answer depends on what you're cracking.

Let's assume your message was encrypted with AES, using a key derived from a
passphrase, and nothing else. There's no authenticator on the message (no
keyed checksum) and so the ciphertext is insecure, but we'll ignore that.

Then the attacker is just going to try every possible password. As you
observed, each of those decryption attempts is going to generate gibberish.
But all those gibberish results will be _binary_ gibberish: a decryption
attempt with a key differing even in one bit from the real key will produce an
effectively random plaintext, with bits evenly distributed.

The right key won't have that property; the result will be 7-bit ASCII. It
will almost certainly be the only result that produces ASCII, and certainly
the only one producing intelligible ASCII. :)

If the message is encrypted securely, with an authenticator, the job of
cracking it might be slightly simpler: you use the authenticator to verify
that you got the right result. This is how some older systems tell you you got
the right key (but it also implies that you encrypted the MAC, which is unsafe
for other reasons).

Finally, if you're encrypting with a block cipher mode that requires padding
--- something you shouldn't do but that systems designed 5+ years ago all tend
to do --- you'll know if you got the right key based on whether the padding
makes sense. There's a very famous crypto attack based on this property.

[http://cryptopals.com/sets/3/challenges/17/](http://cryptopals.com/sets/3/challenges/17/)

~~~
jc_811
This was a super helpful answer, thanks!

------
jonny_storm
When working with a low-level cryptography API for the first time, you can
easily miss a step and subsequently mistake ciphertext for plaintext. Unless
the length or contents of the result fails to match your expectations, you'll
have no way to know otherwise.

Indeed, the notion of what expectations you can even have of the data, in
principle, relates to information theory and reducing said expectations is
crucial to keeping private transmissions secure.

------
dozzie
In the real world, an attacker knows _some_ plaintext of the message, or at
least its format. For instance, it would be an IP or TCP header, HTTP request,
or PNG/JPEG format header.

~~~
jc_811
So if this were happening with brute force, the attacker would keep using
different keys until the data returned was clearly an IP address? (or whatever
else they are looking for). And the computer doesn't actually know or get any
feedback if it's correct? It's all on the attacker to analyze the results of
each attempt

~~~
dozzie
> until the data returned was clearly an IP address?

No. Any four bytes is an IP _address_. You do realize that IP is a _protocol_
, right?

~~~
jc_811
Sorry misspoke there. I meant to simply sub in one of the examples you had
given (IP or TCP header, HTTP request, or PNG/JPEG format header)

~~~
dozzie
Ah, it was my fault then. Sorry. I had a header of an IP packet in mind. Its
format is known and machine-verifiable, and even includes a simple checksum,
so it's quite easy to tell if the guessed encryption key has a chance of being
valid.

