Loading ...
Sorry, an error occurred while loading the content.

74846Re: Encryption: Vim should use authenticated encryption mode

Expand Messages
  • Rhialto
    Jan 11, 2014
    • 0 Attachment
      On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote:
      > 1. It is working correctly as designed, see the specs on how encryption works:
      > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
      > and note the details on single bit corruption and its effect on blocks,
      > and error propagation across blocks.

      The code in Vim uses the words "Output feedback mode" and the 3 letters
      "ofb" in a few places around bf_crypt_encode(), thereby suggesting that
      it is indeed using the Output FeedBack mode.

      However that isn't actually true. The code isn't really clear but I
      think it seems most like CFB: the plaintext is XORed with the output
      from the block cypher and given back to the block cypher in the next
      block. This became visible only when I drew a picture and compared it
      with those on the wikipedia page.

      It looks like that without the macro "BF_OFB_UPDATE" the code would
      actually implement OFB.

      > 2.
      > >> This attack allows someone to modfiy encrypted files so that the owner
      > >> doesn't notice. With sufficient tries or skill it might be possible to
      > >> change a file's values in a predictable way at a certain offset.
      >
      > This argument is not true for blowfish or any good encryption algorithm.

      Actually it can definitely be true. And that isn't due to a deficiency
      in Blowfish or its implementation, but when OFB mode is used. And as
      long as the code suggest that OFB indeed is used, this counts as a
      vulnerability in itself.

      As you can see at
      http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_feedback_.28OFB.29
      when decrypting in OFB mode, a corruption in one cyphertext block does
      *not* propagate to any next block! In effect, the block cypher is merely
      used to generate a stream of pseudo-random bits which are

      Note I'm not a professional cryptographer, but I've made a few crypto
      thingies in the past and got lambasted for the stupid mistakes I made in
      them. This taught me that it is much more difficult to get it right
      than to get it wrong, and about some of the mistakes that any
      non-careful implementer oh so easily makes.

      I would suggest updating the terminology in blowfish.c, and then have
      another few people look at it to triple-check it.

      Oh, and I too think that decrypting to garbage without an error message
      is really the wrong thing to do.

      -Olaf.
      --
      ___ Olaf 'Rhialto' Seibert -- The Doctor: No, 'eureka' is Greek for
      \X/ rhialto/at/xs4all.nl -- 'this bath is too hot.'
    • Show all 22 messages in this topic