Re: weak use of crypto in python-elixir can lead to information disclosure (CVE and peer review request)

[Vincent Danen <vdanen () redhat com>]

* [2012-04-28 13:58:15 +0200] Florian Weimer wrote:

> > CFB mode is only secure if the the IV is unpredictable and different
> > for every message.
>
> There are a few additional requirements.  Without some form of message
> authentication, chosen-ciphertext attacks are still possible even with
> a random IV.

I'm no crypto expert, so I don't have a comment on this (although I did
note this message in our bug, so that those smarter than I can look at
it).

> > Because of this, and because the encryption key is shared for each
> > database table (fields and rows), the same plaintext prefix is
> > always encrypted to an identical and corresponding ciphertext
> > prefix.  As a result, an attacker with access to the database could
> > figure out the plaintext values of encrypted text.
>
> And you can group by encrypted column values in the database.  That's
> why I'm not sure if it's actually possible to address this issue in a
> satisfying manner.

So the encryption can be more fine-grained than just per-table?  You can
also do it per-column?  If that's the case, this does sound a lot uglier
to deal with.

--
Vincent Danen / Red Hat Security Response Team