Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] Encipher.it

Michael Rogers michael at briarproject.org
Thu Jun 20 03:03:29 PDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 19/06/13 18:06, Steve Weis wrote:
> I also noticed the verification code might be susceptible to a
> timing attack: "if (hex_hmac_sha1(key, text) === hmac)"

It looks like the adversary might be able to bypass MAC checking
entirely: decryptNode() accepts a message if either the first 40 bytes
are a valid HMAC or the first 64 bytes are the hash of the plaintext.
If the adversary can guess the real plaintext then she can modify the
CTR ciphertext to produce a new plaintext and authenticate it by
replacing the MAC with the hash of the new plaintext.

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJRwtNxAAoJEBEET9GfxSfMpbMH/1Pcln56XtFQ1AFcwhKZlY/w
iDnnuq2DAsGFd7PtM/0fMq+amgtHOPWm0DzOxPa8TeOqcyXmsPqYYPLYH5kQ87Xa
T+AU377EZQoPNMazA88OkMhOPhwhxDkpTYaFXOwl6mRu4jPk3PLBimWZz1IU0jUY
52rGTT4fptsJwgGjFcATbw/k4RpE9TUpHguDhximadOim+suww1ymHK2kNeLwyOl
Bn/vPZtkoUzoOAgXEgUGONa4b3jlFHbcEEjxL2KtNjvG99X6RsrWq8XJmlOebKB7
CQaQio1kdiyLAuLUtBy9A36DBRTyOW8c72HYhNXiR2jeIEPXID5kHDLuPEEt1S0=
=qiN4
-----END PGP SIGNATURE-----



More information about the liberationtech mailing list