PSA: Don't use RNCryptor

[Scott Arciszewski <scott () paragonie com>]

I've discovered that several people are promoting a cryptography library
called RNCryptor on Stack Exchange websites.

Last year, I found that it failed to compare MACs in constant-time (which
is rule #1 of the cryptography coding standards, by the way). This is not
only a remotely exploitable cryptographic side-channel that allows for MAC
forgeries that result in chosen-ciphertext attacks, but it's also a sign of
poor security engineering that promises more vulnerabilities will be
discovered in other components.

Today, I spend two minutes looking through the C and Python versions and
discovered they are also susceptible to timing attack vulnerabilities.

*
https://github.com/RNCryptor/RNCryptor-C/blob/ca238ab862205abdcb2e2ae173d2695037639154/rncryptor_c.c#L429
*
https://github.com/RNCryptor/RNCryptor-python/blob/71031f243bcba2aaa7bca4ff9a4c01358427b476/RNCryptor.py#L87

And of course, my original finding:
https://github.com/RNCryptor/RNCryptor-php/blob/f7ab514209fe476c4aa83a1df1fe9bb655e9e9b0/lib/RNCryptor/Decryptor.php#L99

I'd like to take this opportunity to tell every programmer and information
security professional that reads this mailing list: DON'T USE RNCRYPTOR.

If you need portable, highly secure cryptography, there is no better answer
than libsodium:
https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide

(If you're interested in seeing the Stack Exchange discussion:
http://stackoverflow.com/a/34969963/2224584)

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>