Today we published a security fix for http://golang.org/x/crypto/salsa20 …. If you generated more than 256 GiB of output from a single key+nonce pair, it would loop due to a counter overflow. Found by @mbmcloughlin's fuzzers.https://groups.google.com/d/msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ …
-
Show this thread
-
The issue is also present in the upstream implementations from SUPERCOP, NaCl and from the official Salsa20 website, but it will not be fixed there because the author does not consider it a problem. (Because NaCl tells you not to encrypt messages bigger than 4 KiB.)
3 replies 9 retweets 24 likesShow this thread -
Replying to @FiloSottile
The cipher stream would cycle? does that mean that the implementations are incompatible now and that > 256GiB data would decrypt to garbage? while still having a EtM HMAC or Poly1305 tag pass?
3 replies 0 retweets 3 likes -
Replying to @colmmacc @FiloSottile
Yes. But also note: implementations vulnerable to this can have portions of their output very simply decrypted; if you xor the two portions of the message together you get A xor B. From here it's a pencil and paper effort to decrypt.
1 reply 0 retweets 0 likes -
Replying to @pikhq @FiloSottile
Of course! and a disaster for a naive Salsa20 based RNG (I did a survey of RNGs about a year ago and none look like that at the time). I asked because my greatest concern in this case would be for some poor people who used this for file encryption ...
1 reply 0 retweets 1 like
... I can well imagine someone encrypting a snapshot of that size. The MAC/tag are valid, it'll pass the simple corruption tests, and even a full read-back test will work if the bug is deterministic (it looks to be to me) ... but now post-fix, I'd might be made unrestorable :(
-
-
This is bad. But what would you suggest? Re-introducing the bug so that they can decrypt their file? That’s obviously not an option. And the previous behavior can still be emulated.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.