Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/cipher: deprecate NewOFB, NewCFBDecrypter and NewCFBEncrypter #69445

Closed
FiloSottile opened this issue Sep 13, 2024 · 11 comments
Closed

crypto/cipher: deprecate NewOFB, NewCFBDecrypter and NewCFBEncrypter #69445

FiloSottile opened this issue Sep 13, 2024 · 11 comments
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Milestone

Comments

@FiloSottile
Copy link
Contributor

Both OFB and CFB are unauthenticated encryption modes, which should be used only in very particular circumstances. They are also way less popular than the most used unauthenticated encryption mode, CTR, and our implementations are less optimized and not covered by the Go+BoringCrypto mode.

OFB mode is essentially unused (four real Debian CodeSearch hits). CFB mode is almost unused (five real Debian CodeSearch hits, a few more using other code search tools)

The CFB implementation in crypto/cipher arguably misuses the Stream interface, too. Unlike CTR or OFB that turn a block cipher into a true stream cipher by producing a keystream that is then XOR'd with the plaintext or ciphertext, CFB operates on the actual plaintext or ciphertext input. This is visible in the Encrypter / Decrypter asymmetry, and makes it impossible to XOR some zeroes to then XOR the result with the plaintext/ciphertext, which would be a reasonable expectation to have of a Stream.

We'd not be adding these if we were deciding today, we are not going to take optimizations for them, and we want to generally steer users away from them and towards authenticated modes like GCM or at least towards the more popular, more optimized, and Go+BoringCrypto covered CTR.

/cc @golang/security @golang/proposal-review

@FiloSottile FiloSottile added Proposal Proposal-Crypto Proposal related to crypto packages or other security issues labels Sep 13, 2024
@FiloSottile FiloSottile added this to the Proposal milestone Sep 13, 2024
@ianlancetaylor ianlancetaylor moved this to Incoming in Proposals Sep 18, 2024
@aclements
Copy link
Member

This proposal has been added to the active column of the proposals project
and will now be reviewed at the weekly proposal review meetings.

@aclements aclements moved this from Incoming to Active in Proposals Oct 23, 2024
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/621957 mentions this issue: crypto/cipher: add small CTR benchmark, remove CFB/OFB benchmarks

@aclements
Copy link
Member

For the purposes of FIPS certification, is it enough to simply mark these as deprecated?

@FiloSottile
Copy link
Contributor Author

For the purposes of FIPS certification, is it enough to simply mark these as deprecated?

These will sit outside the boundary of the FIPS module, so for the purposes of certification they don't exist, and we don't even need to deprecate them. Now felt like a good time to deprecate them to signal that we did not put them within the FIPS module boundary and did not get them validated, and to be able to make statements like "all non-deprecated functions that NIST considers approved and not legacy are validated".

@aclements
Copy link
Member

@FiloSottile , can you write out exactly what the deprecation message would be for these, including steering people toward the right replacement? Thanks.

@FiloSottile
Copy link
Contributor Author

// Deprecated: CFB mode is not authenticated, which generally enables active
// attacks to manipulate and recover the plaintext. It is recommended that
// applications use [AEAD] modes instead. The standard library implementation of
// CFB is also unoptimized and not validated as part of the FIPS 140-3 module.
// If an unauthenticated [Stream] mode is required, use [NewCTR] instead.

Same for OFB.

gopherbot pushed a commit that referenced this issue Nov 18, 2024
CFB and OFB are mostly unused, and not a performance target.

Updates #39365
Updates #69445

Change-Id: Ice6441e4fee2112a9e72607c63e49dbc50441ba6
Reviewed-on: https://go-review.googlesource.com/c/go/+/621957
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
@aclements aclements moved this from Active to Likely Accept in Proposals Nov 21, 2024
@aclements
Copy link
Member

Based on the discussion above, this proposal seems like a likely accept.

The proposal is to deprecate the following functions from crypto/cipher: NewOFB, NewCFBDecrypter, and NewCFBEncrypter.

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/631019 mentions this issue: crypto/cipher: deprecate NewOFB, NewCFBDecrypter, and NewCFBEncrypter

gopherbot pushed a commit that referenced this issue Nov 22, 2024
Updates #69445

Change-Id: Ie9cd13d65f1f989f24731f8b09bbc5124873549f
Reviewed-on: https://go-review.googlesource.com/c/go/+/631019
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
@aclements
Copy link
Member

No change in consensus, so accepted. 🎉
This issue now tracks the work of implementing the proposal.

The proposal is to deprecate the following functions from crypto/cipher: NewOFB, NewCFBDecrypter, and NewCFBEncrypter.

@aclements aclements moved this from Likely Accept to Accepted in Proposals Nov 27, 2024
@aclements aclements changed the title proposal: crypto/cipher: deprecate NewOFB, NewCFBDecrypter and NewCFBEncrypter crypto/cipher: deprecate NewOFB, NewCFBDecrypter and NewCFBEncrypter Nov 27, 2024
@aclements aclements modified the milestones: Proposal, Backlog Nov 27, 2024
@ianlancetaylor
Copy link
Member

Is there anything left to do here? As far as I can tell this is done.

@rolandshoemaker
Copy link
Member

I don't think so, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Proposal Proposal-Accepted Proposal-Crypto Proposal related to crypto packages or other security issues
Projects
Status: Accepted
Development

No branches or pull requests

5 participants