Security Concerns when encrypting the database with password

[ronnieoverby]

I have a few concerns. For LiteDB's encryption feature to be taken seriously, these should be addressed:

• Unpredictable IV per page ( MULTI IVs for Improved Database Security  #360 already mentions this )
• Move to authenticated Encryption or "Encrypt-then-MAC" (currently uses unauthenticated symmetric encryption)
• Ensure cryptographically secure RNG is used throughout (I sent a pull request for one instance, but haven't audited the code base).
• Use an alternative key derivation scheme. Currently uses Rfc2898DeriveBytes with defaults.
  • There are issues with Rfc2898DeriveBytes. It's default iteration count is too low and it is hard coded to use SHA1. Use a better implementation.

http://securitydriven.net/inferno/ is a wonderful library that leverages existing crypto api's in a way that makes it much harder to screw up.

The author also has a companion book that I would recommend to anyone. The library is MIT licensed, professionally audited and highly regarded.

One issue is that it hasn't been ported to target .NET standard yet, but they are talking about it in their issues (it's the only open issue).

Anyway, those are my thoughts.

[elyoh]

Completely agree with this.

I also noticed that there is a critical bug in that an SHA1 hash of the database password is stored in the database header page. Any file with the same password will have the same password hash. A malicious user could generate hashes for common passwords and simply compare them with the hash stored in the header page which is computationally easy.

[mbdavid]

Hi @ronnieoverby and @elyoh,

LiteDB implement a simple encription feature (and now reading this I can see how simple is it). This must be reviewed. This encryption is on my list be complete re-write, but first I will need undersant better all encryption process. I only knows basics about encryption. There is any reference where I can study more about this?

[ronnieoverby]

The book I referenced is a good start. The theme of the book is "you aren't a cryptography expert, so just do what the experts tell you and nothing else".

That should be your mantra. It's mine.

There's a section in the book that's all about symmetric encryption and common mistakes. Here are the common mistakes that he lists:

Here is a non-exhaustive list of common symmetric encryption mistakes you should learn to recognize:

1. Not using an unpredictable IV in CBC mode (IV is calculated somehow, or reused).
2. Using Symmetric Encryption without Authenticated Encryption (i.e. MAC is not included).
3. Using Authenticated Encryption but forgetting to include IV as part of MAC.
4. Not using two independent keys for EtM (same key or dependent keys). 5. Using a non-cryptographically-strong RNG (ex. using System.Random() instead of CSP-based RNG).
5. Improperly deriving master key from SKM (ex. hashing user-provided password string).
6. Using silent-fallback with UTF encodings or using UTF-based encodings instead of string serialization.

Addressing each of these issues would be a good start. Also, read that book. It's $19.

[ppuvanasingam]

Has this been fixed? We are considering using LiteDB for our software. Password encryption is of great importance to us. Please advise.

[PaulVrugt]

@mbdavid
same here. We're also looking to use this library. Proper encryption is a MUST for us. Any progress?

[lbnascimento]

Hi! With the objective of organizing our issues, we are closing old unsolved issues. Please check the latest version of LiteDB and open a new issue if your problem/question/suggestion still applies. Thanks!