74848Re: Encryption: Vim should use authenticated encryption mode
- Jan 11, 2014Olaf Seibert wrote:
> On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote:Right, it looks like the code is doing CFB instead of OFB.
> > 1. It is working correctly as designed, see the specs on how encryption works:
> > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
> > and note the details on single bit corruption and its effect on blocks,
> > and error propagation across blocks.
> The code in Vim uses the words "Output feedback mode" and the 3 letters
> "ofb" in a few places around bf_crypt_encode(), thereby suggesting that
> it is indeed using the Output FeedBack mode.
> However that isn't actually true. The code isn't really clear but I
> think it seems most like CFB: the plaintext is XORed with the output
> from the block cypher and given back to the block cypher in the next
> block. This became visible only when I drew a picture and compared it
> with those on the wikipedia page.
> It looks like that without the macro "BF_OFB_UPDATE" the code would
> actually implement OFB.
> > 2.So, CFB is better than OFB? Then we are fine.
> > >> This attack allows someone to modfiy encrypted files so that the owner
> > >> doesn't notice. With sufficient tries or skill it might be possible to
> > >> change a file's values in a predictable way at a certain offset.
> > This argument is not true for blowfish or any good encryption algorithm.
> Actually it can definitely be true. And that isn't due to a deficiency
> in Blowfish or its implementation, but when OFB mode is used. And as
> long as the code suggest that OFB indeed is used, this counts as a
> vulnerability in itself.
> As you can see at
> when decrypting in OFB mode, a corruption in one cyphertext block does
> *not* propagate to any next block! In effect, the block cypher is merely
> used to generate a stream of pseudo-random bits which are
> XORed with the plain text to generate the ciphertext.
> Which means that an attacker can trivially flip any bits in the file
> that (s)he wishes.
> Note I'm not a professional cryptographer, but I've made a few cryptoIt does make an attack more complicated. Even more so when compressing
> thingies in the past and got lambasted for the stupid mistakes I made in
> them. This taught me that it is much more difficult to get it right
> than to get it wrong, and about some of the mistakes that any
> non-careful implementer oh so easily makes.
> I would suggest updating the terminology in blowfish.c, and then have
> another few people look at it to triple-check it.
> Oh, and I too think that decrypting to garbage without an error message
> is really the wrong thing to do.
the text before encrypting it.
hundred-and-one symptoms of being an internet addict:
142. You dream about creating the world's greatest web site.
/// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
For more options, visit https://groups.google.com/groups/opt_out.
- << Previous post in topic