Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode

[Brandon Perry <bperry.volatile () gmail com>]

> On Sep 19, 2016, at 2:53 PM, Seth Arnold <seth.arnold () canonical com> wrote:
>
> On Mon, Sep 19, 2016 at 03:20:02PM -0400, Mike Santillana wrote:
> > An IV reuse bug was discovered in Ruby's OpenSSL library when using
> > aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before
> > setting the key, the cipher will default to using a static IV. This creates
> > a static nonce and since aes-gcm is a stream cipher, this can lead to known
> > cryptographic issues.
> >
> > The documentation does not appear to specify the order of operations when
> > setting the key and IV [1]. As an example, see the following insecure code
> > snippet below:
> >
> > Vulnerable Code:
> >
> > def encrypt(plaintext)
> >    cipher = OpenSSL::Cipher.new('aes-256-gcm')
> >    iv = cipher.random_iv # Notice here the IV is set before the key
> >    cipher.key = '11111111111111111111111111111111'
> >    cipher.auth_data = ""
> >    ciphertext = cipher.update(plaintext) + cipher.final
> >    tag = cipher.auth_tag
> >
> >    puts "[+] Encrypting: #{plaintext}"
> >    puts "[+] CipherMessage (IV | Tag | Ciphertext): #{bin2hex(iv)} |
> > #{bin2hex(tag)} | #{bin2hex(ciphertext)}"
> > end
>
> Hello,
>
> I think you have a mistake in this sample code, 'iv' is assigned but never
> used (aside from being printed).

Ruby really likes side-effects. Calling #random_iv generates and sets a new IV on the cipher, then returns it to the 
caller. Very magical.

https://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv 
<https://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv>
> Your github code is far more complicated but looks like it is doing the
> right thing.
>
> Thanks

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail