74846Re: Encryption: Vim should use authenticated encryption mode
- Jan 11, 2014On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote:
> 1. It is working correctly as designed, see the specs on how encryption works:The code in Vim uses the words "Output feedback mode" and the 3 letters
> and note the details on single bit corruption and its effect on blocks,
> and error propagation across blocks.
"ofb" in a few places around bf_crypt_encode(), thereby suggesting that
it is indeed using the Output FeedBack mode.
However that isn't actually true. The code isn't really clear but I
think it seems most like CFB: the plaintext is XORed with the output
from the block cypher and given back to the block cypher in the next
block. This became visible only when I drew a picture and compared it
with those on the wikipedia page.
It looks like that without the macro "BF_OFB_UPDATE" the code would
actually implement OFB.
> 2.Actually it can definitely be true. And that isn't due to a deficiency
> >> This attack allows someone to modfiy encrypted files so that the owner
> >> doesn't notice. With sufficient tries or skill it might be possible to
> >> change a file's values in a predictable way at a certain offset.
> This argument is not true for blowfish or any good encryption algorithm.
in Blowfish or its implementation, but when OFB mode is used. And as
long as the code suggest that OFB indeed is used, this counts as a
vulnerability in itself.
As you can see at
when decrypting in OFB mode, a corruption in one cyphertext block does
*not* propagate to any next block! In effect, the block cypher is merely
used to generate a stream of pseudo-random bits which are
Note I'm not a professional cryptographer, but I've made a few crypto
thingies in the past and got lambasted for the stupid mistakes I made in
them. This taught me that it is much more difficult to get it right
than to get it wrong, and about some of the mistakes that any
non-careful implementer oh so easily makes.
I would suggest updating the terminology in blowfish.c, and then have
another few people look at it to triple-check it.
Oh, and I too think that decrypting to garbage without an error message
is really the wrong thing to do.
___ Olaf 'Rhialto' Seibert -- The Doctor: No, 'eureka' is Greek for
\X/ rhialto/at/xs4all.nl -- 'this bath is too hot.'
- << Previous post in topic Next post in topic >>