ECB encryption of passphrase
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| eCryptfs |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
To encrypt a passphrase, ecryptfs-utils uses AES 128-bit in ECB mode of operation. The passphrase is 16-byte (128-bit) long. The wrapping process encrypts the hexlified version of the passphrase which lies on 32 bytes (256 bits). It means two AES blocks will be process during the key wrapping. In the (unlikely) case were the passphrase has the upper 8-byte part equal to the lower 8-byte part then its wrapped version will also have the same property. If an adversary sees an encrypted key in the wrapped-passphrase file with the lower part equal the upper part he will now that he have only to bruteforce 8 bytes and not the full 16-byte key.
To convince yourself of this property you can execute:
printf "%s\n%s" "00112233445566
The resulting keyfile contains the wrapped passphrase with two identical blocks. I think it should either use CBC mode of operation for key wrapping or encryption of the raw version of the passphrase not the hexlified version. It is not a big issue but 2^64 keys have only 64-bit security with the current scheme.
CVE References
| Tyler Hicks (tyhicks) wrote | #1 |
| Changed in ecryptfs: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Sylvain (sylvain-pelissier) wrote | #2 |
| information type: | Private Security → Public Security |
Hi Sylvain - Thanks for the bug report!
I agree that ECB mode is not idealt. It is on my todo list to migrate to a better wrapping scheme after I became familiar with the code while fixing CVE-2014-9687.