Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

64-bit Initialization Vectors #16

Open
lipnitsk opened this issue Aug 26, 2014 · 7 comments
Open

64-bit Initialization Vectors #16

lipnitsk opened this issue Aug 26, 2014 · 7 comments
Labels
2.x candidate

Comments

@lipnitsk
Copy link

From: https://defuse.ca/audits/encfs.htm

Initialization vectors are only 64 bits, even when using AES instead of Blowfish. This may lead to vulnerabilities when encrypting large (or lots of) files.
@jetwhiz jetwhiz mentioned this issue Mar 20, 2016
Open
@paragonie-scott
Copy link

See: https://sweet32.info/

@rfjakob
Copy link
Collaborator

rfjakob commented Jan 30, 2017 via email

@paragonie-scott
Copy link

Birthday collisions on a 64-bit input will happen after 2^32 outputs (50% probability).

Try encrypting a terabyte with EncFS and see if you get an IV collision.

@benrubson benrubson mentioned this issue Mar 20, 2017
Closed
@benrubson
Copy link
Contributor

benrubson commented Mar 10, 2018
edited
Loading

Configuration file already contains :
<uniqueIV>0</uniqueIV>
I think we could make this an int rather than a boolean, without breaking compatibility.
As for blockMACBytes (see #13), it would then contain 16 for new filesystems 👍

@benrubson
Copy link
Contributor

Do you think we can safely use an unsigned __int128 value to store 128 bits IVs ?
Or we should better use 2 64 bits values and concat them ?

I'm afraid 128 bits values could not be supported on 32 bits systems, this is at least the case on Cygwin 32 bits (g++/gcc 6.4.0) where the following test fails :

int main()
{
    unsigned __int128 test;
    return 0;
}

expected unqualified-id before « __int128 »

@rfjakob
Copy link
Collaborator

rfjakob commented May 6, 2018

Some googling seems to confirm that. uint128 is not available everywhere. We should rather use 2 x uint64 or 16 x uint8 I believe.

@benrubson
Copy link
Contributor

So I think we would have to declare a new struct containing the 2 uint64, or pass them as 2 args to the functions needing them.
The 2 mainly impacted files are CipherFileIO and SSL_Cipher.

@benrubson benrubson mentioned this issue May 13, 2018
Open
lukateras added a commit to prism-break/prism-break that referenced this issue Jan 15, 2019
@lukateras
Remove EncFS
c4e8b79 
From the latest audit (https://defuse.ca/audits/encfs.htm):

> EncFS is probably safe as long as the adversary only gets one copy of
> the ciphertext and nothing more. EncFS is not safe if the adversary has
> the opportunity to see two or more snapshots of the ciphertext at
> different times. EncFS attempts to protect files from malicious
> modification, but there are serious problems with this feature.

vgough/encfs#8
vgough/encfs#9 (critical)
vgough/encfs#10
vgough/encfs#11
vgough/encfs#13
vgough/encfs#16
vgough/encfs#17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.x candidate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rfjakob @lipnitsk @vgough @benrubson @paragonie-scott