Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add authentication to your encrypt/decrypt operations. #18
I saw this library linked from a blog posted on elixirforum.com.
The encrypt/decrypt methods are open to padding oracle attack (https://en.wikipedia.org/wiki/Padding_oracle_attack) . You need to add authentication to the protocol.
You might want to look into AES-GCM instead of AES-CBC-128. AES-GCM has authentication built-in. Otherwise you need to add an HMAC to the data. Best practice is to use an encrypt-then-authentica scheme. (https://moxie.org/blog/the-cryptographic-doom-principle/)
This is not a feature request and I am sorry if it looked like it.
I am not referring to user authentication. I am referring to crypto authentication which prevents an attacker from modifying the ciphertext.
If you are using AES-CBC-128 you need to add an HMAC or CMAC to the data encrypted data. Otherwise an attacker can modify the ciphertext. When the decrypt operation is called the padding will fail most of the time because the attacker has modified a bit. However, once in a while the attacker "guesses" the right padding and he gets a decrypt error rather than a padding error. Doing this you can get to the plaintext of a cipher in a relatively low number of requests
Without the MAC the encrypt/decrypt functionality is open to attack. Again, this is not a feature, it is a security bug which lets an attacker retrieve the plaintext of any encrypted piece of data, assuming he has access to modifying the ciphertext.
@svileng @rubencaro You can have a look at Plug's crypto code. Initially they used AES-CBC-128 with an HMAC and then they moved to AES-GCM. I think both are fine but AES-CBC + HMAC is getting a bit dated.
See elixir-plug/plug#420 for a great explanation. It also contains lots of links to articles why this is necessary.