[liberationtech] Encipher.it
Michael Rogers
michael at briarproject.org
Thu Jun 20 03:03:29 PDT 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 19/06/13 18:06, Steve Weis wrote:
> I also noticed the verification code might be susceptible to a
> timing attack: "if (hex_hmac_sha1(key, text) === hmac)"
It looks like the adversary might be able to bypass MAC checking
entirely: decryptNode() accepts a message if either the first 40 bytes
are a valid HMAC or the first 64 bytes are the hash of the plaintext.
If the adversary can guess the real plaintext then she can modify the
CTR ciphertext to produce a new plaintext and authenticate it by
replacing the MAC with the hash of the new plaintext.
Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJRwtNxAAoJEBEET9GfxSfMpbMH/1Pcln56XtFQ1AFcwhKZlY/w
iDnnuq2DAsGFd7PtM/0fMq+amgtHOPWm0DzOxPa8TeOqcyXmsPqYYPLYH5kQ87Xa
T+AU377EZQoPNMazA88OkMhOPhwhxDkpTYaFXOwl6mRu4jPk3PLBimWZz1IU0jUY
52rGTT4fptsJwgGjFcATbw/k4RpE9TUpHguDhximadOim+suww1ymHK2kNeLwyOl
Bn/vPZtkoUzoOAgXEgUGONa4b3jlFHbcEEjxL2KtNjvG99X6RsrWq8XJmlOebKB7
CQaQio1kdiyLAuLUtBy9A36DBRTyOW8c72HYhNXiR2jeIEPXID5kHDLuPEEt1S0=
=qiN4
-----END PGP SIGNATURE-----
More information about the liberationtech
mailing list