Unauthenticated AES-CTR is vulnerable to malleability

[duskwuff]

Messages encrypted with Cryptr are vulnerable to malleability attacks.

For example, given the encrypted string from the usage sample:

const cryptr = new Cryptr('myTotalySecretKey');
const encryptedString = cryptr.encrypt('bacon');
console.log(encryptedString); // "bcb23b81c4839d06644792878e569de4f251f08007"

If the cleartext contents of this encrypted string are known, it is possible to alter the content of the encrypted string without knowledge of the key:

var tmp = Buffer.from(encryptedString, "hex");
var b1 = Buffer.from("bacon"), b2 = Buffer.from("hello");
for (var i = 0; i < b1.length; i++) {
    tmp[i + 16] ^= b1[i] ^ b2[i];
}
var ep = tmp.toString("hex");
console.log(ep); // "bcb23b81c4839d06644792878e569de4f855ff8306"

And it decrypts to the target value:

var dp = cryptr.decrypt(ep);
console.log(dp); // "hello"

This is a really big deal from a cryptographic perspective. An attacker has just modified an encrypted message in transit, and you have no way of detecting it.

AES-CTR is not an appropriate cryptographic primitive for this use case. (Ironically, the previous choice of AES-CBC was somewhat less vulnerable to this attack.)

[MauriceButler]

Hi @duskwuff ,

I have switched to using aes-256-gcm with authentication in the use-gcm branch

This seems to mitigate this issue as far as I am aware.

I am going to do some additional testing but please let me know if this is acceptable from your point of view.

[jcohenho]

can we merge this branch?

[MauriceButler]

I have merged and released this breaking change in v6.0.0