Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 16 Jan 2016 03:15:53 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: It essentially wins crypto vulnerability bingo! gilfether/phpcrypt

Consider this email the spiritual successor to my most recent post on Full
Disclosure (http://seclists.org/fulldisclosure/2016/Jan/50).

Today, we're going to talk about this library:
https://github.com/gilfether/phpcrypt/issues/6

Let's go down the list:

- [x] Wrote their own block cipher implementation
- [x] ...in PHP...
- [x] ...and forgot to account for function overloading!
- [x] Chosen-ciphertext attacks (The existence for which is almost implied
by "PHP crypto". Almost.)
- [x] Defaults to a weak random number generator (32 bits of entropy is
enough for AES right?)
- [x] Defaults to ECB mode (https://blog.filippo.io/the-ecb-penguin/)
- [x] Offers a laundry list of ciphers available, some of which are stupid
- [x] ...like SimpleXOR (remember JCrypt?), Vigenere, and Enigma!

Yep, this is almost as bad as it gets. I've attempted to notify everyone on
Github who used this library, but there might be some people who do that
aren't on Github. Please spread the word: migrate away from homebrew PHP
cryptography.

Like most "pure PHP" cryptography projects, this code is pure security
theater. There is no salvaging it.

For PHP developers who would otherwise be left out in the rain by this
disclosure, here are some PHP cryptography libraries that do it right:

1. https://github.com/jedisct1/libsodium-php (HIGHLY recommended!)
​2​
. https://github.com/defuse/php-encryption (recommended!)
3. https://github.com/paragonie/halite (requires #1)
4. https://github.com/paragonie/EasyRSA (reluctantly included for people
that really believe they need RSA)

(Details:
https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide
)

Seriously, folks: Writing cryptography primitives or protocols is hazardous
in any language. Even if you have a mathematics background.

If you can't afford to hire a cryptography expert to audit your library
before you publish it, you should seriously consider using one that the
community has already reviewed for free.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>​

P.S. MITRE, if you're not busy, could you slap a CVE on the issues? This
library actually gets a fair bit of use (though hopefully not for long).

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ