You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Chris Wheeler (Jira)" <ji...@apache.org> on 2021/02/11 21:45:00 UTC
[jira] [Comment Edited] (GUACAMOLE-1286) Support a custom IV in
guacamole-auth-json
[ https://issues.apache.org/jira/browse/GUACAMOLE-1286?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17283391#comment-17283391 ]
Chris Wheeler edited comment on GUACAMOLE-1286 at 2/11/21, 9:44 PM:
--------------------------------------------------------------------
No, don't do this. [~bnzelic], your cryptography expert is confused. If this were simply AES-CBC encryption of a transmitted encrypted message, then yes, using a random IV would be more secure. But this is not that, it is implementation of CBC-MAC which not only encrypts the transmission, but also provides the mechanism to authenticate the sender. By using a random IV, the authentication part gets weaker ([source|https://crypto.stackexchange.com/a/1076]). Using a zero IV is part of the CBC-MAC protocol itself ([source|https://en.wikipedia.org/wiki/CBC-MAC#mw-content-text:~:text=one%20encrypts%20m%20in%20CBC%20mode%20with%20zero%20initialization%20vector%20and%20keeps%20the%20last%20block]).
was (Author: grintor):
No, don't do this. [~bnzelic], your cryptography expert is confused. If this were simply AES-CBC encryption of a transmitted encrypted message, then yes, using a random IV would be more secure. But this is not that, it is implementation of CBC-MAC which not only encrypts the transmission, but also provides the mechanism to authenticate the sender. By using a random IV, the authentication part gets weaker ([source|https://crypto.stackexchange.com/a/1076]).|https://crypto.stackexchange.com/a/1076]). Using a zero IV is part of the CBC-MAC protocol itself ([source|https://en.wikipedia.org/wiki/CBC-MAC#mw-content-text:~:text=one%20encrypts%20m%20in%20CBC%20mode%20with%20zero%20initialization%20vector%20and%20keeps%20the%20last%20block]).
> Support a custom IV in guacamole-auth-json
> ------------------------------------------
>
> Key: GUACAMOLE-1286
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1286
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-json
> Reporter: Bojan Zelic
> Priority: Major
>
> It would be nice to support a custom (not-null) IV in guacamole-auth-json
> We have a cryptography expert at our company that took a look at the implementation here:
> [https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/CryptoService.java#L76]
> according to him:
> * Having a null-IV coupled with the cipher that Guacamole is using (CBC) is far from ideal from security perspective, even with the signature in the payload it's possible to generate the same cipher-text thus it is bruteforce-able
> * He also thinks that it could be nice to use a standard like AEAD (https://en.wikipedia.org/wiki/Authenticated_encryption) in Guacamole instead of using a custom implementation.
> We believe that allowing a null-IV could be problematic and allowing a configurable IV would be a great short-term solution.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)