Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Cryptographic Issues #1

Open
paragonie-scott opened this issue Jan 21, 2018 · 2 comments
Open

Multiple Cryptographic Issues #1

paragonie-scott opened this issue Jan 21, 2018 · 2 comments
Assignees
@Dragonrun1
Labels
wontfix

Comments

@paragonie-scott
Copy link

paragonie-scott commented Jan 21, 2018
edited

  • encryption-helper/src/EncryptionHelper.php

    Line 220 in add0c21

    if ($checksum === null || $checksum !== $this->computedCheckSum()) {

  • encryption-helper/src/EncryptionHelper.php

    Lines 345 to 363 in add0c21

    /**
    * Used to create and validate query checksum value.
    *
    * @return string
    */
    private function computedCheckSum(): string
    {
    $checksum = 0;
    $zero = ord('0');
    $func = function ($acc = 0, $value) use ($zero) {
    foreach (str_split($value) as $item) {
    $acc += ord($item) - $zero;
    }
    return $acc;
    };
    $checksum += array_reduce(array_keys($this->queries), $func);
    $checksum += array_reduce($this->queries, $func);
    return sprintf('%X', $checksum);
    }
    • This checksum is not a secure message authenticator (e.g. HMAC-SHA256, Poly1305), particularly because it doesn't have any secret keys.

  • encryption-helper/src/EncryptionHelper.php

    Line 438 in add0c21

    private $cipher = 'DES-CBC';

  • encryption-helper/src/EncryptionHelper.php

    Lines 137 to 138 in add0c21

    $decrypted = openssl_decrypt($this->getBytes($data), $this->cipher, $this->getKey(),
    OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $this->getInitVector());

When you combine these snippets together, you get a situation that looks like this:

  1. You're encrypting by default with DES, which can be brute-forced in a day's time.
  2. You're using unauthenticated encryption.
  3. You're using it to encrypt URL parameters, which is a questionable solution to begin with.
@Dragonrun1 Dragonrun1 self-assigned this Jan 22, 2018
@Dragonrun1
Copy link
Owner

As the README says I created this to replace an existing c# library with a PHP one for someone I did not create it because I thought it was really well done. I made it to be a drop in replacement and that was all. You can check out the original reasons for the class at
https://www.phpclasses.org/package/10011-PHP-Encrypt-and-decrypt-of-GET-query-lists.html through it does look like the one link is bad to the request I was solving.

I did some digging and found it again
https://www.phpclasses.org/recommend/781-I-want-to-Decrypt-the-C-Encryption-string-in-php.html

@paragonie-scott
Copy link
Author

Maybe delist it from PHP Classes so other people don't accidentally use it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Dragonrun1 Dragonrun1

Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Dragonrun1 @paragonie-scott