Closed (fixed)
Project:
Drupal 6 Long Term Support
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
8 Mar 2017 at 13:28 UTC
Updated:
7 Jun 2017 at 14:15 UTC
Jump to comment: Most recent, Most recent file
Comments
Comment #2
dsnopekHere's a work in progress patch!
I'm doing actual development in this branch on GitHub:
https://github.com/d6lts/aes/tree/sa-2017-027
This works in my testing, but I'd love some review to double check if I managed to address the security issues. Thanks!
Comment #3
dsnopekSome minor changes
Comment #4
heine commentedWithout integrity validation with a HMAC, AES-CBC is vulnerable to padding oracle attacks. See https://en.wikipedia.org/wiki/Padding_oracle_attack . Depending on the use of AES in a site, it may be a relevant attack vector.
Comment #5
dsnopek@Heine: Thanks for posting that note!
Our clients (for whom we're developing this patch) are storing the encrypted data in the database, so there's no service that an attacker can use to check if a message has been padded correctly or not. If someone were using AES for a service that decrypted data sent to it, then it definitely could be a risk! I can add something to the README about that.
Comment #6
dsnopekHere's a new patch with a short paragraph added to the README.txt
Comment #7
heine commentedAttached patch adds message authentication. HKDF + hmac verification from Defuse/PHPencryption with the change (in spirit) from https://github.com/defuse/php-encryption/issues/328#issuecomment-288876288
Comment #8
dsnopek@Heine: Wow, thanks for putting that all together! I'll do some testing when I have a chance.
Comment #9
dsnopekI finally got around to testing @Heine's patch from #7! One quick thing right away: it changes the API of
aes_encrypt()/aes_decrypt()by throwing exceptions on failure, rather than returning FALSE. This breaks the modules using AES that I'm testing, and probably others that will expected the old API. I'll see if I can roll that back and just test the signature changes...Comment #10
dsnopekThis is a question, not a criticism, because you understand the low-level encryption stuff here way better than I do: Besides switching from phpsec's random byte generator (
crypt_random_string()) todrupal_random_bytes(), this also changes the key length from 32 bytes to 16 bytes. If we want to do AES-256, don't we want the key to be 32 bytes? Or through the magic of HKDF does the key used for encryption end up being 32 bytes?Thanks!
Comment #11
dsnopekHere's a new patch that maintains the API in case of error for aes_encrypt() and aes_decrypt(), ie. returning FALSE
Comment #12
dsnopekTo answer my own question from #10, I tested it and this does reduce the key size from 32 to 16:
Googling a bit, lots of people are of the opinion that AES-128 is totally sufficient and AES-256 isn't worth it. However, defuse/php-encryption is doing AES-256 and I've been using that library as an example of the "ideal":
https://github.com/defuse/php-encryption/blob/master/src/Core.php#L14
So, here's an updated patch that just increases the key size (which phpseclib will use to automatically switch to AES-256).
Comment #13
dsnopekCommitted the latest patch to the repo! Thanks, Everyone!