3/31/2023 0 Comments Cryptomator auditOutput AES-CBC-DECRYPT(KE, IV, C) with PKCS#5 padding. Check HMAC(KH, C) = the tag in the file.Ĥ. Read the AES-CBC initialization vector, IV. KE is the encryption key used with AES, and KH is an HMAC key (used for multiple purposes, which is problematic).Ģ. Derive two keys (KE, KH) from a password string using PBKDF2. The authors of this repo have chosen to use the following protocol (for decryptDataPBKDF2):ġ. The cryptography community has steadily iterated on what the default should be when somebody asks, "how can I encrypt my file." We've arrived at these constructions, in particular, because previous constructions have had security flaws. These block cipher modes did not emerge for no reason. While there exist others, the industry has converged on these two as the standard. Modern Authenticated Encryption constructions include: AES-GCM, (X)ChaCha20-Poly1305. Authenticated Encryption is the most common crypto primitive that people when they say "they want encryption." It's placed front-and-center in libsodium, ring, mundane, tink, monocypher, and every modern cryptography library that I've seen, since it is such a common operation. The cryptography _protocol_ that is implemented in the linked github repo ( ) has several flaws (in addition to having some bad code practices that I'll skip over since this repo is supposed to only document the encryption protocols).įirst, the authors' problems appear to stem from their choice to manually implement an unusual (and inefficient) construction of the Authenticated Encryption primitive. I'm surprised that this code has a "successful" audit. This company should've never rolled their own crypto in response to Authenticated Encryption, which has been solved, if you just use a pre-existing library. While the audit report says "Boxcryptor is not enforcing integrity ," this attack can let an adversary decrypt a (short) ciphertext, given a padding oracle. I've found numerous problems, but I'll focus on the attack that lets someone successfully manipulate a ciphertext and have it successfully decrypt as something else. TL DR: this code should've never passed audit.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |