AES was unsupported in SA-CONTRIB-2017-027:

https://www.drupal.org/node/2857028

In Drupal 7, there are alternatives to upgrade to, but not in Drupal 6.

Modules that depend on AES will still need to decrypt and re-encrypt all their stored data, but running the database updates and then doing aes_decrypt() followed by aes_encrypt() should be enough, since the code in the patch can detect the old data and use the old key and encryption methods to decrypt the data.

Comments

dsnopek created an issue. See original summary.

dsnopek’s picture

Status: Active » Needs review
StatusFileSize
new31.62 KB

Here's a work in progress patch!

I'm doing actual development in this branch on GitHub:

https://github.com/d6lts/aes/tree/sa-2017-027

This works in my testing, but I'd love some review to double check if I managed to address the security issues. Thanks!

dsnopek’s picture

StatusFileSize
new31.62 KB
new1.48 KB

Some minor changes

heine’s picture

Without integrity validation with a HMAC, AES-CBC is vulnerable to padding oracle attacks. See https://en.wikipedia.org/wiki/Padding_oracle_attack . Depending on the use of AES in a site, it may be a relevant attack vector.

dsnopek’s picture

@Heine: Thanks for posting that note!

Our clients (for whom we're developing this patch) are storing the encrypted data in the database, so there's no service that an attacker can use to check if a message has been padded correctly or not. If someone were using AES for a service that decrypted data sent to it, then it definitely could be a risk! I can add something to the README about that.

dsnopek’s picture

StatusFileSize
new747 bytes
new32.05 KB

Here's a new patch with a short paragraph added to the README.txt

heine’s picture

Attached patch adds message authentication. HKDF + hmac verification from Defuse/PHPencryption with the change (in spirit) from https://github.com/defuse/php-encryption/issues/328#issuecomment-288876288

dsnopek’s picture

@Heine: Wow, thanks for putting that all together! I'll do some testing when I have a chance.

dsnopek’s picture

I finally got around to testing @Heine's patch from #7! One quick thing right away: it changes the API of aes_encrypt() / aes_decrypt() by throwing exceptions on failure, rather than returning FALSE. This breaks the modules using AES that I'm testing, and probably others that will expected the old API. I'll see if I can roll that back and just test the signature changes...

dsnopek’s picture

+++ b/aes.module
@@ -418,9 +423,7 @@
- aes_load_phpsec();
- include_once('Crypt/Random.php');
- return crypt_random_string(32);
+ return drupal_random_bytes(AES_KEY_BYTE_SIZE);

This is a question, not a criticism, because you understand the low-level encryption stuff here way better than I do: Besides switching from phpsec's random byte generator (crypt_random_string()) to drupal_random_bytes(), this also changes the key length from 32 bytes to 16 bytes. If we want to do AES-256, don't we want the key to be 32 bytes? Or through the magic of HKDF does the key used for encryption end up being 32 bytes?

Thanks!

dsnopek’s picture

StatusFileSize
new35.79 KB
new4.21 KB

Here's a new patch that maintains the API in case of error for aes_encrypt() and aes_decrypt(), ie. returning FALSE

dsnopek’s picture

StatusFileSize
new35.79 KB
new420 bytes

To answer my own question from #10, I tested it and this does reduce the key size from 32 to 16:

# Prints: 16
drush php-eval 'print strlen(aes_hkdf(aes_make_key(), AES_KEY_BYTE_SIZE, AES_HKDF_ENCRYPTION_INFO))'

Googling a bit, lots of people are of the opinion that AES-128 is totally sufficient and AES-256 isn't worth it. However, defuse/php-encryption is doing AES-256 and I've been using that library as an example of the "ideal":

https://github.com/defuse/php-encryption/blob/master/src/Core.php#L14

So, here's an updated patch that just increases the key size (which phpseclib will use to automatically switch to AES-256).

dsnopek’s picture

Status: Needs review » Fixed

Committed the latest patch to the repo! Thanks, Everyone!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.