Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lots of issues #32

Open
jbarlow83 opened this issue Aug 20, 2017 · 1 comment
Open

Lots of issues #32

jbarlow83 opened this issue Aug 20, 2017 · 1 comment

Comments

@jbarlow83
Copy link

https://www.reddit.com/r/Python/comments/6utwyn/a_python_cheat_sheet_about_security/dlvo6n2/
@crazyguitar
Copy link
Owner

crazyguitar commented Aug 21, 2017
edited

I really really appreciate that you open this issue!! thanks. 👍

Unfortunately, the security cheat sheet was too simple that programmers SHOULD NOT just copy past the code. It will case lots of security issues. I will give a warning on the top of cheat sheet soon.

based on karanlyons said:

The AES examples use CBC with PKCS7 and no MAC, which is the classic example of a scheme open to padding oracle attacks. Nowadays I’d recommend GCM (or EAX) as your block mode if it’s available, and otherwise CTR or CBC with a MAC on the IV & ciphertext using a separate key. And I wouldn’t consider myself within even spitting distance of a crypto expert.

What’s weird is that cryptography has all of those primitives, so it’s concerning that the author didn’t use them. The key stretching is also using a custom function as opposed to one of the KDFs in cryptography as well (it looks like the function is basically HKDF, but the first rule of crypto is “don’t roll your own crypto,” so at the very least we could use the primitives).

There’s also no guarding against nonce/IV reuse (which is a bad idea in general, but thankfully not catastrophic for CBC) in the symmetric crypto. Worse, the key & IV are derived from the initial key, guaranteeing that any given key will always have the same IV, which opens you up to all sorts of attacks based around inference of plaintexts from a corpus of ciphertexts (With CBC if (Key₁, IV₁) == (Key₂, IV₂) then if C₁ == C₂, P₁ == P₂. Additionally the first block is now effectively in ECB mode. With CTR/GCM/EAX/etc. the results are way worse).

There’s probably more stuff wrong, too (like the stuff around certificates seemingly ignoring any trust model, and the implication of a lack of understanding as to the maximum message length given a key size), but that’s what I found from a quick glance. The one bit of good news is that if you just use TLS with strong cipher suites (and a trusted cert with pinning) almost all of this will be done properly for you.

I get the intent behind this, and I think that intent is genuinely good, but crypto is really not a place where you want to be giving any advice unless you’re either an expert or willing to couch your advice in a bunch of caveats.

(Also, and somewhat tangential: if we’re going to put together a “this is how you do things” cheatsheet, it wouldn’t hurt to espouse the most modern stuff we’ve got: ECDSA, AES-GCM, ECDHE, ECC and AEAD in general, scrypt, etc.)

I agree that there still have a lot of work to do ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jbarlow83 @crazyguitar