Re: CVE Request - Ruby OpenSSL Library - IV Reuse in GCM Mode

[Mike Santillana <michael.santillana () wework com>]

Hi Seth,

The random_iv method automatically sets the IV to be used by the cipher:
http://ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv.
The reason I do "iv = cipher.random_iv" is to get the IV value so I can
print the value (or traditionally, pass it along so it can be used in the
decryption phase).

I hope this clears the example up a bit.

Thanks


*WeWork | Mike Santillana*
Security Engineer
845-709-5655
www.wework.com

Create Your Life's Work

On Mon, Sep 19, 2016 at 3:53 PM, Seth Arnold <seth.arnold () canonical com>
wrote:

> On Mon, Sep 19, 2016 at 03:20:02PM -0400, Mike Santillana wrote:
> > An IV reuse bug was discovered in Ruby's OpenSSL library when using
> > aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before
> > setting the key, the cipher will default to using a static IV. This
> creates
> > a static nonce and since aes-gcm is a stream cipher, this can lead to
> known
> > cryptographic issues.
> >
> > The documentation does not appear to specify the order of operations when
> > setting the key and IV [1]. As an example, see the following insecure
> code
> > snippet below:
> >
> > Vulnerable Code:
> >
> > def encrypt(plaintext)
> >     cipher = OpenSSL::Cipher.new('aes-256-gcm')
> >     iv = cipher.random_iv # Notice here the IV is set before the key
> >     cipher.key = '11111111111111111111111111111111'
> >     cipher.auth_data = ""
> >     ciphertext = cipher.update(plaintext) + cipher.final
> >     tag = cipher.auth_tag
> >
> >     puts "[+] Encrypting: #{plaintext}"
> >     puts "[+] CipherMessage (IV | Tag | Ciphertext): #{bin2hex(iv)} |
> > #{bin2hex(tag)} | #{bin2hex(ciphertext)}"
> > end
>
> Hello,
>
> I think you have a mistake in this sample code, 'iv' is assigned but never
> used (aside from being printed).
>
> Your github code is far more complicated but looks like it is doing the
> right thing.
>
> Thanks