New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add authentication to your encrypt/decrypt operations. #18

cmkarlsson opened this Issue Feb 26, 2018 · 3 comments


None yet
3 participants
Copy link

cmkarlsson commented Feb 26, 2018

I saw this library linked from a blog posted on

The encrypt/decrypt methods are open to padding oracle attack ( . You need to add authentication to the protocol.

You might want to look into AES-GCM instead of AES-CBC-128. AES-GCM has authentication built-in. Otherwise you need to add an HMAC to the data. Best practice is to use an encrypt-then-authentica scheme. (


This comment has been minimized.

Copy link

svileng commented Feb 27, 2018

Found an Erlang library that wraps AES-GCM for :crypto:

@cmkarlsson could please have a quick look at hairnet's implementation, do you think it can serve as a good example when implementing this for Cipher?


This comment has been minimized.

Copy link

rubencaro commented Feb 27, 2018

@cmkarlsson @svileng thank you guys.

If you make a pull request adding that feature I will accept it rightaway, of course. But the truth is cipher is not really meant for that.

For applications that need that level of security I would recommend using a good implementation of JWT.

@rubencaro rubencaro closed this Feb 27, 2018


This comment has been minimized.

Copy link

cmkarlsson commented Feb 27, 2018

This is not a feature request and I am sorry if it looked like it.

I am not referring to user authentication. I am referring to crypto authentication which prevents an attacker from modifying the ciphertext.

If you are using AES-CBC-128 you need to add an HMAC or CMAC to the data encrypted data. Otherwise an attacker can modify the ciphertext. When the decrypt operation is called the padding will fail most of the time because the attacker has modified a bit. However, once in a while the attacker "guesses" the right padding and he gets a decrypt error rather than a padding error. Doing this you can get to the plaintext of a cipher in a relatively low number of requests

Without the MAC the encrypt/decrypt functionality is open to attack. Again, this is not a feature, it is a security bug which lets an attacker retrieve the plaintext of any encrypted piece of data, assuming he has access to modifying the ciphertext.

@svileng @rubencaro You can have a look at Plug's crypto code. Initially they used AES-CBC-128 with an HMAC and then they moved to AES-GCM. I think both are fine but AES-CBC + HMAC is getting a bit dated.

See elixir-plug/plug#420 for a great explanation. It also contains lots of links to articles why this is necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment