I've been looking around for and AES key generation algorithm, slightly concerned about 'what' my key was, and more concerningly, are there 'strong' and 'weak' keys?
Had found a python article which specifically not to use an algorithm similar to this when generating a key:
import random
key = []
for x in range(16):
key.append(chr(random.randrange(0,255)))
return key
I get the idea that a key shouldn't be predictable, and I know that normal 'random' byte generation based on time isn't exactly random.
My question however, is that even if you do use a simple algorithm (or even a 16-byte passphrase for that matter) for the key and AES is implemented properly, is the key any weaker than any other?
AES in itself doesn't have any weak keys. Weak keys are keys that will bring forward special properties of the block cipher. For instance, a weak key could be key where double encryption with that key will result in the plaintext again. That definition of a weak key is however not the one you are using.
Of course guessing the time is a real option, and the random number generator can be seeded with that time and the keys can be regenerated that way. So that's surely not strong. If the random number generates any other data then the attacker may also be able to calculate the previous states including the one that generated the key. Not a good idea.
Any symmetric cipher requires the keys to be fully unpredictable. That doesn't just mean that they are hard to guess; they should be impossible to guess. Otherwise the security strength of the key is not met. For instance, if you use 16 fully random hexadecimal characters instead of bytes as key, you would half the key size, leaving only 64 bits instead of 128.
The same problem is with passwords. Unfortunately passwords that humans bring up are incredibly weak. This is why we use tricks such as key stretching in a Password Based Key Derivation Function or PBKDF to strengthen the Password Based Encryption or PBE.
So yes, the key is weaker than a key consisting of fully random bytes, because an attacker has got an easier time to guess it. This is basically independent of the (block) cipher used.
The contents of the key does certainly matter.