Comments (3)
For the IV:
Yeah, an empty IV is ok for now, though my point is if you touch this library again in 4 years to extend it to encrypt multiple files, do you still know about this issue? Better to add it now.
Your reading is not entirely accurate, but I did not explain it in lots of details anyways. What you're essentially describing is an attacker that collects all horcruxes and replaces them with something else. This is not something that can defended against easily and would require some sort of signature of the entity creating the horcruxes, but I think we're leaving the scope of the library here and is an entirely different issue. This would be the property of authenticity.
However, I'm only focusing on integrity . My issue is that an attacker can modify the content of the file without knowing the key and it's not detectable (by the computer at least). It works by the attacker simply flipping some bits of the ciphertext.
If you look at how OFB works: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_Feedback_(OFB) then you can clearly see that the plaintext is simply XORed with some generated Bitstream (which is why OFB is kind of a stream cipher). For decryption, the same Bitstream is XORed with the ciphertext again.
An example, let's say you're encrypting the character 'A', in Bits this is:
01000001
now you XOR it with some random bits (10110011), yielding the cipher text:
11110010
Ok but now the attacker can flip any bit from this ciphertext and directly influence the bit at the plaintext that will be generated. If the attacker in addition knows what you're encrypting (maybe some well known prefix, your name, ....) then the attacker can easily influence the whole ciphertext by simply flipping the bits at the required places. The current scheme does nothing to prevent that.
For implementing the countermeasure:
Appending a MAC would also be possible, if authenticated encryption ciphers are not feasible to use. They usually operate in a block-mode, which is why there is probably no readily made stream implementation.
from horcrux.
Just to provide some context, I have switched to use Samir's Secret Sharing Scheme, meaning we only use one key (and we only use that key once). For that reason I believe an empty IV is sufficient. But I don't have a particularly strong background in encryption so please let me know if otherwise.
As for countermeasure 1, I think that should be easy enough. I can create a reader that reads from each horcrux in turn and validates that everything returns the same thing before writing that to the buffer. However when threshold == total
we divide the encrypted content evenly between the horcruxes to save space. Do we still need to do something here to ensure integrity?
As for counter measure 2, could you give a little more context around the issue? My reading is that unauthenticated OFB encryption is bad because somebody could decrypt the content, then modify the plaintext, then re-encrypt it again, and you wouldn't know the plaintext had been modified. Is that correct? Also, looking up ChaCha20-Poly1305
, I can't find examples of where I can use that in a streamed manner.
from horcrux.
Took me a while to get around to this but thanks for the detailed explanation @simonerni . Currently I'm spending most of my free time on https://github.com/jesseduffield/lazygit so I won't have time to implement this any time soon but I will happily review a PR!
from horcrux.
Related Issues (20)
- Great minds think alike HOT 2
- Cant Bind files, no such File or directory HOT 2
- Number of required horcruxes differs between CLI and .horcrux files HOT 4
- Pieces are larger than the original HOT 2
- Suggestion: Use reed-solomon encoding to reduce data size HOT 1
- Hashes
- Latest Github release at v0.3 didn't have attatched binary packages. HOT 1
- Suggestion: `--version` flag
- How to get soul into file? HOT 3
- Package available in chocolatey
- Are -t and -n options are available just before `split` subcommand?
- self-sufficient horcruxes
- [CI] - The process '/opt/hostedtoolcache/goreleaser-action/1.20.0/x64/goreleaser' failed with exit code 1 HOT 1
- Go-SSSA HOT 1
- Proposal: Small GUI
- alternatives
- 能否提供 darwin arm64 的版本
- Option for XOR implementation HOT 2
- Customize format string for naming parts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from horcrux.