Menu

#2176 7z AES encryption - IV randomness issues

None
open-fixed
nobody
None
5
2019-03-19
2019-01-23
3lbios
No

Hi, I was reading the code for 7z encryption and saw that it's using a poor RNG for AES IV generation. What's more, the IV seems to be only 8 bytes instead of the full 16 (half of it is always 0). This is a problem as the guarantee of AES-CBC security is a 128-bit IV that is truly random i.e. derived from a cryptographic PRNG. Otherwise it resembles ECB for the first AES block and it might be easier to detect same block of plaintext in two ciphertexts. It may also decrease overall AES-CBC security.

I'm attaching screenshots of related code.

It should be easy to fix, by setting iv_size to 16 instead of 8, removing the current RNG and using the one supplied by the OS, guaranteed to be a cryptographic PRNG.

I might be able to provide a fix within a few days. How can I submit a patch for 7-zip?

Cheers,
3lbios

2 Attachments
7zAes_cpp.PNG
RandGen_cpp.PNG

Discussion

  • Scott

    Scott - 2019-01-31

    Is there any way to promote bugs for fixing? This seems a little concerning, but if the finder can share their estimate of the severity, it might clarify the risk and spur attention?

     

  • Rick Smith

    Rick Smith - 2019-02-04

    If 7zip is intended to provide "toy" encryption then this bug has a low priority. CBC should use a random unpredictable IV. If we relax that constraint, we may open an attack on the crypto. Or maybe not. The safe thing to do is to make the fix. No doubt there are other compromises in the crypto code. If we minimize our shortcomings, we increase our security assurance.

     

  • zzz

    zzz - 2019-02-24

    Was this fixed in verison 19.00?

    What's new after 7-Zip 18.06:

    Encryption strength for 7z archives was increased:
the size of random initialization vector was increased from 64-bit to 128-bit,
and the pseudo-random number generator was improved.
Some bugs were fixed
     

    Last edit: zzz 2019-02-24

  • 3lbios

    3lbios - 2019-02-25

    Yep, looks like the RNG and IV are fixed now - I just looked at the new code.
    Still the KDF could use more iterations, at least 10000 (currently it's 1000), but that's another thing.

     

    • Igor Pavlov

      Igor Pavlov - 2019-02-25

      1000 is from specification of WinZip-AES method.
      And I can't change third-party specifications.

      And that problem is not big.
      Evrn if they change 1000 and 30000 iterations, then it complicates password search only for one addition letter, but it can be much slower for big number of encrypted files in zip archive.

       

      Last edit: Igor Pavlov 2019-02-25

  • Igor Pavlov

    Igor Pavlov - 2019-02-25
    • status: open --> open-fixed
    • Group: -->
     

  • zzz

    zzz - 2019-02-25

    Ok, thanks. Could you please let the users know, if it is recommended to recreate older encrypted 7z archives? Or are they considered safe? Maybe this info can be added to the changelog, too.

     

  • Igor Pavlov

    Igor Pavlov - 2019-02-25

    No need to recreate 7z archives.
    Old archives are safe too.

     

    • Guillaume

      Guillaume - 2019-02-25

      Wait, what? How can old archives be safe when they're created using a botched encryption method?

       

      • Igor Pavlov

        Igor Pavlov - 2019-02-25

        it's just more in level of security.
        In previous version there were some low probability cases where the level of security was not 100%, but maybe something like 99.99999%, but its only for some rare cases.
        So previous version was pretty safe too.

         

  • aONe

    aONe - 2019-03-19

    In case it is needed, here a patch to use the updated code from 19.00 in p7zip 16.02:
    15-Enhanced-encryption-strength.patch.zip (github.com)

     

Log in to post a comment.

MongoDB Logo MongoDB