AES-128 Key Recovery: Plaintext/Ciphertext Attack

TL;DR

Yes, an AES-128 key can be recovered if an attacker controls the plaintext and can observe both the corresponding ciphertext and the Initialization Vector (IV). This is because AES in CBC mode becomes vulnerable to a known-plaintext attack. The vulnerability stems from the XOR operation used in CBC mode; repeated plaintexts will reveal information about the key.

Understanding the Attack

AES-128 uses a 128-bit key for encryption. When AES is used in Cipher Block Chaining (CBC) mode, each plaintext block is XORed with the previous ciphertext block before encryption. The IV is used to initialize the first block.

Step-by-Step Key Recovery

1. Setup: Assume you have access to a system using AES-128 in CBC mode, and you can send arbitrary plaintext data and receive the corresponding ciphertext and IV.
2. Send First Plaintext Block (P₁): Send a known plaintext block P₁ to the encryption system. Record the received ciphertext block C₁ and the IV (IV₁).
3. Send Second Plaintext Block (P₂ = P₁): Now, send the same plaintext block P₁ again. Record the new ciphertext block C₂ and the IV (IV₂). Because the plaintext is identical to the first block, we can exploit the CBC mode properties.
4. Exploit XOR Property: In CBC mode:
   • C₁ = AES(P₁ XOR IV₁)
   • C₂ = AES(P₂ XOR IV₂)

   Since P₁ = P₂, we have:

   C1 XOR C2 = (AES(P1 XOR IV1)) XOR (AES(P1 XOR IV2))

5. Calculate Key Differences: Because AES is a deterministic algorithm, the difference between C₁ and C₂ reveals information about the key. Specifically:

   C1 XOR C2 = AES(P1 XOR IV1) XOR AES(P1 XOR IV2)

   This can be simplified to reveal differences related to the key used in the AES encryption.

6. Repeat and Refine: Repeat steps 2-4 multiple times with different plaintexts (and record their corresponding ciphertexts and IVs). Each repetition provides more data points.
   • If you can control the IV, this simplifies things greatly as you have a known difference.
   • The goal is to gather enough information about the key schedule to reconstruct the full AES-128 key. This often involves solving a system of equations.
7. Key Schedule Recovery: The XORed ciphertext differences are related to the round keys used in each round of AES encryption. Using techniques like differential cryptanalysis, you can analyze these differences to recover the individual round keys.
   • This is a complex mathematical process and often requires specialized tools or libraries (e.g., SageMath).
8. Final Key Recovery: Once you have recovered all the round keys, you can deduce the original AES-128 key used for encryption.

Mitigation

• Unique IVs: Always use a unique and unpredictable IV for each encryption operation. This is the most important defense against this attack. Using a counter-based IV generation scheme or a cryptographically secure random number generator are good options.
• Avoid Known-Plaintext Scenarios: Design your system to avoid situations where an attacker can control the plaintext being encrypted.
• Authenticated Encryption: Use authenticated encryption modes (e.g., GCM, CCM) which provide both confidentiality and integrity protection. These modes make it much harder for attackers to manipulate the ciphertext or inject known plaintexts.