Late night emergency thread about this super interesting bug in Salsa20 because it is a case where MAC-then-Encrypt is better than Encrypt-then-MAC. But that's supposed to be heresy!https://twitter.com/FiloSottile/status/1108578067713265664 …
-
-
Here's why! If we go back to my XOR example:https://twitter.com/colmmacc/status/1101572361365516288 …
Show this thread -
So in my example 3 was the plaintext, and 7 was the key. 3 ^ 7 = 4, so that's the encrypted text. Let's say we encrypted 5 too. 5 ^ 7 = 2. Well it turns out that XORing the encrypted text is just like XORign the plaintext. 3 ^ 5 = 6, and 4 ^ 2 = 6.
Show this thread -
So re-using the same stream reveals the "difference" between the plain-texts. There's enough information in there to make guesses at what the plaintext is. O.k. so the bug is bad, and has to be fixed. Real world things could hit this: e.g. people might be encrypting a snapshot.
Show this thread -
But here's what interesting: the fix also breaks anything that's already encrypted! if you stored a > 256GiB encrypted image using Salsa20 ... it will now partially decrypt to garbage.
Show this thread -
The normal defense against this in cryptography is the MAC. A MAC is basically a keyed checksum of the data; if the data ever changes, even by one bit, the MAC should fail to validate. But in this case, an encrypt-then-MAC style MAC will be absolutely valid!
Show this thread -
To detect this kind of corruption: you'd need to have a MAC of the plaintext. MAC-then-encrypt is usually considered a bad practice, because it leaves the cryptography open to side-channel experimentation by attackers, but in this case you absolutely need it!
Show this thread -
So really you need MAC-then-encrypt-then-also-MAC! I call this scheme Combined Online Linear Message MAC And Corruption Check (it's ok to shorten that to COLMMACC).
Show this thread -
But seriously; if you used this cipher for a large volume data store (we don't!) fixing this would be a *major* pain. You'd have to decrypt and re-encrypt everything. If it crossed control boundaries, you'd have to tell users to keep a copy of the broken cipher implementation.
Show this thread -
It's like the worst kind of applied crypto pain. Changing network crypto is easy in comparison! TLDR: version *everything* always, and include a plaintext checksums if you have to worry about long-term durability minutia like this. /out
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.