Today we published a security fix for http://golang.org/x/crypto/salsa20 …. If you generated more than 256 GiB of output from a single key+nonce pair, it would loop due to a counter overflow. Found by @mbmcloughlin's fuzzers.https://groups.google.com/d/msg/golang-announce/tjyNcJxb2vQ/n0NRBziSCAAJ …
-
Show this thread
-
The issue is also present in the upstream implementations from SUPERCOP, NaCl and from the official Salsa20 website, but it will not be fixed there because the author does not consider it a problem. (Because NaCl tells you not to encrypt messages bigger than 4 KiB.)
3 replies 9 retweets 24 likesShow this thread -
Replying to @FiloSottile
The cipher stream would cycle? does that mean that the implementations are incompatible now and that > 256GiB data would decrypt to garbage? while still having a EtM HMAC or Poly1305 tag pass?
3 replies 0 retweets 3 likes -
Replying to @colmmacc
Well, yeah, that's what happens when the cipher stream is wrong. (Worse, since it cycles it breaks unpredictability and secrecy.) Not sure I understand your point?
2 replies 0 retweets 5 likes -
Replying to @FiloSottile
See my followup tweets: I just worry that there's a risk that the fix will render some data undecryptable; either because it was encrypted with the broken version, or because of interop between the now inconsistent versions. It's an operational risk too.
1 reply 0 retweets 2 likes -
Replying to @colmmacc @FiloSottile
Like I'd say to people: hey if you did encrypt > 256GiB, for file storage or something, then you need to go decrypt it with the old version, then re-encrypt it with the fixed version, and never use the NaCL version.
1 reply 0 retweets 3 likes -
Replying to @colmmacc
I agree it's unfortunate, but the confidentiality concern definitely dominates. Also, it's easy to rollback a Go dependency (if you realize that's your issue.) As for telling people, that feels too use-case specific to effectively communicate it to a wide audience.
1 reply 0 retweets 2 likes
The fix is absolutely necessary; no argument there! We don't use this cipher at AWS for durable data, or large payloads, but I'm just having a nightmare thinking about "what if we did" , it'd be a major pain. This is nitty minutia, but we obsess over it ;-)
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.