Loading ...
Sorry, an error occurred while loading the content.

74848Re: Encryption: Vim should use authenticated encryption mode

Expand Messages
  • Bram Moolenaar
    Jan 11, 2014
    • 0 Attachment
      Olaf Seibert wrote:

      > On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote:
      > > 1. It is working correctly as designed, see the specs on how encryption works:
      > > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
      > > and note the details on single bit corruption and its effect on blocks,
      > > and error propagation across blocks.
      > The code in Vim uses the words "Output feedback mode" and the 3 letters
      > "ofb" in a few places around bf_crypt_encode(), thereby suggesting that
      > it is indeed using the Output FeedBack mode.
      > However that isn't actually true. The code isn't really clear but I
      > think it seems most like CFB: the plaintext is XORed with the output
      > from the block cypher and given back to the block cypher in the next
      > block. This became visible only when I drew a picture and compared it
      > with those on the wikipedia page.
      > It looks like that without the macro "BF_OFB_UPDATE" the code would
      > actually implement OFB.

      Right, it looks like the code is doing CFB instead of OFB.

      > > 2.
      > > >> This attack allows someone to modfiy encrypted files so that the owner
      > > >> doesn't notice. With sufficient tries or skill it might be possible to
      > > >> change a file's values in a predictable way at a certain offset.
      > >
      > > This argument is not true for blowfish or any good encryption algorithm.
      > Actually it can definitely be true. And that isn't due to a deficiency
      > in Blowfish or its implementation, but when OFB mode is used. And as
      > long as the code suggest that OFB indeed is used, this counts as a
      > vulnerability in itself.
      > As you can see at
      > http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_feedback_.28OFB.29
      > when decrypting in OFB mode, a corruption in one cyphertext block does
      > *not* propagate to any next block! In effect, the block cypher is merely
      > used to generate a stream of pseudo-random bits which are
      > XORed with the plain text to generate the ciphertext.
      > Which means that an attacker can trivially flip any bits in the file
      > that (s)he wishes.

      So, CFB is better than OFB? Then we are fine.

      > Note I'm not a professional cryptographer, but I've made a few crypto
      > thingies in the past and got lambasted for the stupid mistakes I made in
      > them. This taught me that it is much more difficult to get it right
      > than to get it wrong, and about some of the mistakes that any
      > non-careful implementer oh so easily makes.
      > I would suggest updating the terminology in blowfish.c, and then have
      > another few people look at it to triple-check it.
      > Oh, and I too think that decrypting to garbage without an error message
      > is really the wrong thing to do.

      It does make an attack more complicated. Even more so when compressing
      the text before encrypting it.

      hundred-and-one symptoms of being an internet addict:
      142. You dream about creating the world's greatest web site.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ an exciting new programming language -- http://www.Zimbu.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php

      You received this message because you are subscribed to the Google Groups "vim_dev" group.
      To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscribe@....
      For more options, visit https://groups.google.com/groups/opt_out.
    • Show all 22 messages in this topic