le-chat-php icon indicating copy to clipboard operation
le-chat-php copied to clipboard

Published 20 hours ago verified publisher icon DanWin

Encryption is vulnerable

Open cypherbits opened this issue 4 years ago • 5 comments

We changed some time ago the message encryption to use the new, safer and faster AES GCM with libsodium.

But we are reusing the IV/Nonce for the same Key. AES GCM is vulnerable in this cases. Nonces should be generated for each new message and stored with the message for decryption (a new DB column).

Exploiting this is not that easy, so we should review our threat model and decide or not to change it or maybe just put a warning on the readme...

cypherbits avatar Aug 20 '21 20:08 cypherbits

Got any references to the lines in the files?

ghost avatar Aug 20 '21 22:08 ghost

@zach83 don't understand your question. Everything we encrypt on this chat is done wrong.

cypherbits avatar Aug 26 '21 11:08 cypherbits

Right, so could you show me where on the file everything is getting encrypted?

ghost avatar Aug 26 '21 16:08 ghost

That is correct, thanks for pointing it out. Also the encryption in AES GCM with libsodium is not always available. If I for example enable the encryption on a raspberry pi, it will result in a fatal error, because the CPU doesn't provide hardware accelerated AES, which libsodium considers mandatory for security reasons. (see https://www.php.net/manual/en/function.sodium-crypto-aead-aes256gcm-is-available.php) I'd suggest to switch to the more secure ChaCha20-Poly1305, which is also provided by libsodium and always available. Along with that, we can introduce a per message IV.

DanWin avatar Aug 28 '21 17:08 DanWin

Should we support both, make a config value? hardware accelerated AES is a lot faster.

cypherbits avatar Oct 13 '21 19:10 cypherbits