Implement better encryption / Libsodium

[rugk]

This blog post is a bit older, but it explains why the encrypted used in OwnCloud is somehow flawed:
https://blog.hboeck.de/archives/880-Pwncloud-bad-crypto-in-the-Owncloud-encryption-module.html

I wonder whether there is any plan to change this crypto module and address these concerns in Nextcloud.

[MorrisJobke]

@LukasReschke Didn't you implemented something to address some points of this?

[LukasReschke]

Reading that article helps 😉

I reported this to Owncloud via Hacker One in January. The first fix they proposed was a change where they used Counter-Mode (CTR) in combination with HMAC. They still encrypt the file in blocks of 8192 bytes size. While this is certainly less problematic than the original construction it still had an obvious problem: All the 8192 bytes sized file blocks where encrypted the same way. Therefore an attacker can swap or remove chunks of a file. The encryption is still malleable.

The second fix then included a counter of the file and also avoided attacks where an attacker can go back to an earlier version of a file. This solution is shipped in Owncloud 9.0, which has recently been released.

[go2sh]

It's very sad, that PHP hast no GCM support yet...

[rugk]

Continuing reading would also be good... 😉

You may wonder at this point why they didn't switch to an authenticated encryption mode like GCM. The reason for that is that PHP doesn't support any authenticated encryption modes. There is a proposal and most likely support for authenticated encryption will land in PHP 7.1.

So this would be something you can implement - when PHP 7.1 is released.

However I admit I only read the article after I posted the link here. 😔

[rugk]

However you might also be able to implement it right now using libsodium and the libsodium PHP wrapper. Or you could even use ChaCha20-Poly1305, which is also a symmetric encryption.
Libsodium also has more cryptographic features, for secure password hashing, random number generation and even using the memory securly.

Additionally this would fix the "design your own crypto" problem as libsodium is well-tested. There is also a PHP guide.

[rugk]

Could you reopen this issue? I already adjusted the title.

Using libsodium if installed can provide a significant security advantage compared to "plain PHP" implementations.

[rugk]

FYI Libsodium will be included in PHP 7.20 by default, so you can make use of it…

[MorrisJobke]

FYI Libsodium will be included in PHP 7.20 by default, so you can make use of it…

Yes - in 5 years 😞

[rugk]

No, users can already install it by themself and use it in earlier versions of PHP. And some hosters have Libsodium pre-installed, so it is a good idea to implement it now…

[rugk]

Now, there is even a pure PHP polyfill by @paragonie-scott for sodium, so you have no excuse for not using it, anymore.