oss-sec mailing list archives
PSA: Don't use RNCryptor
From: Scott Arciszewski <scott () paragonie com>
Date: Sun, 24 Jan 2016 18:40:37 -0500
I've discovered that several people are promoting a cryptography library called RNCryptor on Stack Exchange websites. Last year, I found that it failed to compare MACs in constant-time (which is rule #1 of the cryptography coding standards, by the way). This is not only a remotely exploitable cryptographic side-channel that allows for MAC forgeries that result in chosen-ciphertext attacks, but it's also a sign of poor security engineering that promises more vulnerabilities will be discovered in other components. Today, I spend two minutes looking through the C and Python versions and discovered they are also susceptible to timing attack vulnerabilities. * https://github.com/RNCryptor/RNCryptor-C/blob/ca238ab862205abdcb2e2ae173d2695037639154/rncryptor_c.c#L429 * https://github.com/RNCryptor/RNCryptor-python/blob/71031f243bcba2aaa7bca4ff9a4c01358427b476/RNCryptor.py#L87 And of course, my original finding: https://github.com/RNCryptor/RNCryptor-php/blob/f7ab514209fe476c4aa83a1df1fe9bb655e9e9b0/lib/RNCryptor/Decryptor.php#L99 I'd like to take this opportunity to tell every programmer and information security professional that reads this mailing list: DON'T USE RNCRYPTOR. If you need portable, highly secure cryptography, there is no better answer than libsodium: https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide (If you're interested in seeing the Stack Exchange discussion: http://stackoverflow.com/a/34969963/2224584) Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com>
Current thread:
- PSA: Don't use RNCryptor Scott Arciszewski (Jan 24)