Re: CBC without MAC
Brought to you by:
thesun
Menu
▾
▴
Re: CBC without MAC
|
From: Shachar S. <sh...@sh...> - 2015-06-17 06:24:10
|
On 17/06/2015 02:11, Maarten Bodewes wrote: > Hi rsyncrypto devs, > > I've tried reading the source code but I cannot see if there is any signature or MAC added to the ciphertext. Is it possible that this protocol is vulnerable to padding Oracle attacks (in addition to changes to the ciphertext / plaintext)? Or am I mistaken about that? My home internet connection is fried at the moment. It will take me a couple of days to give you a properly researched answer. In a nutshell, I will say this: * I was not previously aware of the padding oracle attack. Off the top of my head, the attack's premise seems counter to how rsyncrypto is typically used, but I'm open to hear of differing opinions. * There is no signature protecting the entire file. I'll elaborate when I'm not at work (in a couple of days, I hope) * If memory serves me right, the padding is not checked. This also violates the premise that POA relies upon. Then again, it might be an opening to a whole host of other problems I'm unaware of. Feel free to chime in. I always appreciate constructive feedback. > Is there any clear protocol description that would show how the ciphertext is constructed together? There is http://rsyncrypto.lingnu.com/index.php/Algorithm. If you find it lacking, please tell me what you need more, and I'll try to add it. Also, please checkout out the future plans, as it contains some known weaknesses and my plans of how to address them. Shachar |
