oss-sec mailing list archives
Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode
From: Brandon Perry <bperry.volatile () gmail com>
Date: Mon, 19 Sep 2016 15:03:23 -0500
On Sep 19, 2016, at 2:53 PM, Seth Arnold <seth.arnold () canonical com> wrote: On Mon, Sep 19, 2016 at 03:20:02PM -0400, Mike Santillana wrote:An IV reuse bug was discovered in Ruby's OpenSSL library when using aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before setting the key, the cipher will default to using a static IV. This creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues. The documentation does not appear to specify the order of operations when setting the key and IV [1]. As an example, see the following insecure code snippet below: Vulnerable Code: def encrypt(plaintext) cipher = OpenSSL::Cipher.new('aes-256-gcm') iv = cipher.random_iv # Notice here the IV is set before the key cipher.key = '11111111111111111111111111111111' cipher.auth_data = "" ciphertext = cipher.update(plaintext) + cipher.final tag = cipher.auth_tag puts "[+] Encrypting: #{plaintext}" puts "[+] CipherMessage (IV | Tag | Ciphertext): #{bin2hex(iv)} | #{bin2hex(tag)} | #{bin2hex(ciphertext)}" endHello, I think you have a mistake in this sample code, 'iv' is assigned but never used (aside from being printed).
Ruby really likes side-effects. Calling #random_iv generates and sets a new IV on the cipher, then returns it to the caller. Very magical. https://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv <https://ruby-doc.org/stdlib-2.0.0/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv>
Your github code is far more complicated but looks like it is doing the right thing. Thanks
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
Current thread:
- CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Mike Santillana (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Seth Arnold (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Mike Santillana (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Brandon Perry (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Reed Loden (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Mike Santillana (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Mike Santillana (Sep 30)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Mike Santillana (Sep 19)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode cve-assign (Sep 30)
- Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode Seth Arnold (Sep 19)