top | item 14589988

(no title)

analogist | 8 years ago

Wow. This is yet another example of the fatal combination of Rolling Your Own Crypto + Using OpenSSL Directly And Blowing Your Own Foot Off Because It Lets You.

  var cipher = crypto.createCipher('aes-256-ctr', key.toString('hex'))

Besides the completely fatal error of using derived and non-unique IVs (fatal as in, if you encrypt more than 1 item with it, it is exactly as good as plaintext because any two items encrypted with the same key+iv in CTR mode cancels out to plaintext), isn't using hex encoding vastly constraining the possible complexity-per-byte of the key?

A single hard-coded salt for key derivation:

  const key = crypto.pbkdf2Sync(auth, '0945jv209j252x5', 100000, 512, 'sha512');

Again, the salt is only lowercase alphanumeric. This makes this 120-bit salt really just a 77-bit salt. But since it's hard-coded and not randomly generated, it's a 0-bit salt.

Can everyone who is developing crypto apps Just Use NaCl/Libsodium?

discuss

stouset|8 years ago

As an infosec guy, I'm honestly getting really tired of this. Virtually every time someone submits some new security tool to Hacker News, the author has made trivial, catastrophic, and what should be completely avoidable security mistakes.

So for the hundredth time, if you're not a cryptographer or experienced security engineer, please stop releasing and promoting your crypto-related projects before they have been vetted by someone who is. If this is something you intend to release, ideally run the basic idea by someone qualified first. By not doing so, you are doing active harm. Someone's life and/or liberty may very well depend on the software you write, and when you fail them in this regard you are ethically and morally responsible when these things are taken from them.

zgotsch|8 years ago

Is there a good way to find people who are qualified to do such a review? This paper was written by a Ph.D. student and professor of Computer Science at a respected university. The professor teaches a crypto course on Udacity (https://www.udacity.com/course/applied-cryptography--cs387). If they don't meet the criteria for being cryptographers, I wonder how many people in the world do?

tcoff91|8 years ago

What blows my mind is that most of these errors we see in these tools submitted to HN are errors that were all covered in my 'Introduction to Cryptography' course I took when getting my CS degree.

People seriously need to stop rolling their own crypto.

sgdread|8 years ago

5c from me:

1) why CTR mode was chosen? I would probably go with something like GCM: privacy + integrity check.

2) IV ideally should be re-generated on every re-encryption. It doesn't have to be secret, but has to be random (securely random).

tptacek|8 years ago

GCM has exactly the same problem with respect to nonces (GCM, like CTR, has a nonce, not an IV, but the terms are unfortunately used interchangeably).

The secrecy/predictability/uniqueness rules for IVs and nonces depend on the specific cipher mode you're using, so be careful about writing generic recommendations. Also, be very careful with the word "ideally", because if you get an IV or nonce wrong, chances are your problems are much worse than "not ideal".

technion|8 years ago

The good news appears to be that this has prompted some upstream discussion.

https://github.com/nodejs/node/issues/13801