[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161227170149.5anwtpb4l62hnwgt@sentinelchicken.org>
Date: Tue, 27 Dec 2016 09:01:49 -0800
From: Tim <tim-security@...tinelchicken.org>
To: fulldisclosure@...lists.org
Subject: Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache
mod_session_crypto
> > res = apr_crypto_passphrase(&key, &ivSize, passphrase,
> > strlen(passphrase), (unsigned char *) (&salt), sizeof(apr_uuid_t),
> > *cipher, APR_MODE_CBC, 1, 4096, f, r->pool);
>
> CBC. Again.
>
> The earliest mention of CFB which I know is dated 1989.
> The earliest mention of CTR which I know is dated 1990-ies.
>
> But there still are people who use CBC...
>
> Please, PLEASE, PPLEEEEAASSSE don't use it. Instead, use either
> Blowfish in CFB mode or at least Rijndael (AES) in CTR (or GCM)
> mode - both are available, for example, in the OpenSSL library.
All traditional modes that lack integrity protection are vulnerable to
chosen-ciphertext attacks in these kinds of scenarios. CFB isn't
immune and CTR is catastrophically weak. All traditional modes need a
MAC or similar integrity protection. In light of that, there's
nothing particularly wrong with using CBC, if it is implemented well.
At least, using it is not *more* wrong than using OFB, CFB, or CTR
without integrity protection.
GCM is fine if the implementation is sound and the IVs never repeat,
but there are pitfalls. We should instead be pointing developers in
the direction of using something off-the-shelf, such as libsodium.
Much less room for error.
tim
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists