-
Notifications
You must be signed in to change notification settings - Fork 42
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ciphertexts are unauthenticated #37
Comments
I see how this would be valuable. How do you envision storing the signature? If an attacker can manipulate the data isn't the signature vulnerable as well? |
The MAC can be appended or prepended to the ciphertext. It would not be possible for an attacker to compute a valid MAC without knowing the key. |
So roughly along the lines of: # Encrypt and Sign
ciphertext = public_key.public_encrypt(plaintext,@padding)
digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new,
@hmac_secret,
plaintext)
ciphertext += "--#{digest}" # Unsafe assumption
# Decrypt and verify
ciphertext, digest = ciphertext.split("--")
plaintext = private_key.private_decrypt(ciphertext,@padding)
d = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new,
@hmac_secret,
plaintext)
raise InvalidSignature unless constant_time_comparison(d,digest) |
If you compute the HMAC of the plaintext, you're doing encrypt-and-MAC. This was used by SSH, and is vulnerable to chosen ciphertext attacks. See e.g.: http://eprint.iacr.org/2002/078.pdf What you'd want to do here is encrypt-then-MAC ala ActiveSupport::MessageEncryptor, where you encrypt the plaintext first, then MAC the ciphertext. |
Got it, identical plaintext generates identical MACs and badness ensues. So (again roughly): # Encrypt and Sign
ciphertext = public_key.public_encrypt(plaintext,@padding)
digest = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new,
@hmac_secret,
ciphertext)
ciphertext += "--#{digest}" # Unsafe assumption
# [...] |
If you're doing RSA encryption exclusively, you should be fine with OAEP. A MAC is needed for symmetric encryption. |
This gem does not use a MAC to verify data integrity. This can be problematic if ciphertexts are malleable by an attacker, i.e. an attacker gains access to the database and can perform chosen ciphertext attacks.
I'd suggest you add something like ActiveSupport::MessageVerifier (which uses HMAC and performs a timing-attack resistant MAC comparison) to ensure the ciphertexts are authentic:
https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb
The text was updated successfully, but these errors were encountered: