Full Disclosure mailing list archives
CCA on CoreProc/crypto-guard and an Appeal to PHP Programmers
From: Scott Arciszewski <scott () paragonie com>
Date: Thu, 14 Jan 2016 16:53:31 -0500
Hi Full Disclosure Readers, Let's jump right into the vulnerability: In May of last year, I reported to CryptoGuard that their cryptography wasn't guarding against chosen-ciphertext attacks, which is the sort of oversight that would allow me to intercept a ciphertext message then keep feeding it back into the decryption process with slight alterations until I recovered the plaintext. https://github.com/CoreProc/crypto-guard/issues/1 And then several months passed, and I forgot it even existed. I got a notification last night that they closed the issue, and eagerly tagged a v1.0.0 release. So I looked again a bit more carefully and I discovered that they were using their IV as an HMAC key. https://github.com/CoreProc/crypto-guard/issues/3 Experienced infosec folks are probably expecting me to say, "Don't roll your own crypto." And they're half right. You probably shouldn't write your own crypto code, be it for encrypting text, storing passwords, or storing all of your session state in a cookie (shudder). But I've come to realize that telling programmers not to write crypto is like telling teenagers to practice abstinence. Instead, I implore you to follow the advice of Taylor Hornby (Defuse Security, Crackstation, CryptoFails, etc.): http://www.cryptofails.com/post/75204435608/write-crypto-code-dont-publish-it Crypto Amateurs: Write Crypto Code! Don't Publish It! ----------------------------------------------------- Publishing crypto code means either publishing it online or deploying it in production. There are risks associated with both. * Deploying: You've just deployed vulnerable code to your company's server. Well done. * Publishing: You've left another land mine for other developers to accidentally step on. The above CryptoGuard library? People not only use it, they actively recommend it to other developers. * http://stackoverflow.com/a/27497122/2224584 * http://stackoverflow.com/a/27471590/2224584 * http://stackoverflow.com/q/28700653/2224584 Earlier this year I found a dubious attempt to port GnuPG to PHP: https://github.com/jasonhinkle/php-gpg To make a long story short, here's someone asking for advice on how to integrate with it: https://twitter.com/Raed667/status/666037143224102912 I'd like to propose the following workflow (Pastebin: http://pastebin.com/raw/1ap1dX4z) .-------, | START | .-----------, `---+---' | OK, cool. |<, | .---------------------, '----+------' | '-------->+ Am I rolling my own +----------------' | | cryptography? | No | '----------+----------' | | Yes | v | .---------------+---------------. | OK | Do I have enough money in my | .------------+-------------, | project's budget allocated to +------->| You should do that then. | | hire a cryptography expert to | Yes `--------------------------' | review my implementation? | `---------------+---------------' | No v .-----------------------------, | Don't publish or deploy it. | `-----------------------------' I hope you find my proposal to be sane and reasonable enough to adhere to, for the sake of your own applications. Please share this flowchart with every (especially but necessarily PHP) programmer you know until these mistakes are eradicated and/or sufficiently discouraged. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises <https://paragonie.com> _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- CCA on CoreProc/crypto-guard and an Appeal to PHP Programmers Scott Arciszewski (Jan 15)