Encryption usage leaks password equality

[ott]

The IV of every encrypted JSON field is the nonce of the request and thus breaks semantic security, i.e. turning the encryption scheme into ECB mode for a particular message. This allows an attack to find out which passwords are the equal if intercepting a get-all-logins response.

The solution is to use a unique random IV per field or encrypting the message a whole or at least the concatenation of the fields.

I can provide a patch if backwards-compatibility can be broken.

[pfn]

Indeed, that is true, and a mistake, backward compatibility may be broken,
but all versions must be updated at once. There is also a third party,
kypass companion, that I would like to coordinate with as well. Fortunately
though, the get all passwords request is somewhat rare (only when listing
all passwords in Firefox)

Sent from my tablet
On Mar 25, 2013 10:00 AM, "Matthias-Christian Ott" [email protected]
wrote:

The IV of every encrypted JSON field is the nonce of the request and thus
breaks semantic security, i.e. turning the encryption scheme into ECB mode
for a particular message. This allows an attack to find out which passwords
are the equal if intercepting a get-all-logins response.

The solution is to use a unique random IV per field or encrypting the
message a whole or at least the concatenation of the fields.

I can provide a patch if backwards-compatibility can be broken.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/95
.