Skip to content
This repository has been archived by the owner. It is now read-only.

Please use IV for CBC mode #4

Open
jfinkhaeuser opened this issue Oct 1, 2013 · 6 comments

Comments

Projects
None yet
4 participants
@jfinkhaeuser
Copy link

commented Oct 1, 2013

See http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher-block_chaining_.28CBC.29

I can only assume that the ruby openssl wrapper uses null bytes for the IV in your use-case, which is not secure.

@KMarshland

This comment has been minimized.

Copy link

commented Nov 25, 2016

Just made a pull request to fix this.

I also verified that, although it didn't appear to be using null bytes, the IV was not being randomized at all between uses.

@tarcieri

This comment has been minimized.

Copy link

commented Apr 19, 2017

Hi. I'd just like to reiterate that this is an extremely serious issue. This gem should not be used until this is fixed, but given there's a PR that's been open for nearly 6 months that hasn't been touched, I have serious doubts that's ever going to happen.

It's also one of two extremely severe issues with this gem. Unless both are fixed this gem is unsafe and should not be used.

@jfinkhaeuser

This comment has been minimized.

Copy link
Author

commented Apr 19, 2017

CVE requested and reported to https://rubysec.com/

@ArtOfCode-

This comment has been minimized.

Copy link

commented Apr 19, 2017

@tarcieri An organisation I work with has forked this with the intention of keeping it more actively maintained - we started using this gem before realising it was insecure, so we're going to try to fix the major issues in this so we can keep using it. I'd appreciate it if you could find the time to cast an eye over the fixes we've added, since you seem to know what you're talking about :)

Charcoal-SE/aescrypt

@jfinkhaeuser

This comment has been minimized.

@jfinkhaeuser

This comment has been minimized.

Copy link
Author

commented Apr 20, 2017

And added to rubsec.com rubysec/ruby-advisory-db@fda730f

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.