NETProvider icon indicating copy to clipboard operation
NETProvider copied to clipboard
verified publisher icon FirebirdSQL

.NET Provider is using Arc4 Wire Crypt Plugin instead of ChaCha64 in Srp256 Authentication Method

Open luronumen opened this issue 2 months ago • 1 comments

Actual Result

  • .NET Provider is using Arc4 Wire Crypt Plugin instead of ChaCha64 in Srp256 Authentication Method.

Expected Result

  • .NET Provider should use ChaCha64 Wire Crypt Plugin in Srp256 Authentication Method.

Important Notes

  • Arc4 has several known flaws in its key generation algorithm (KSA and PRGA), it is easily attackable if the key or IV is reused or poorly implemented and it is deprecated in virtually all protocols (TLS, WPA, etc.).
  • The latest fbclient.dll already uses the ChaCha64 Wire Crypt Plugin in Srp256 Authentication Method.

luronumen avatar Oct 23 '25 15:10 luronumen

Choice of wire crypt & authentication is independent, i.e. it's not correct to say that ChaCha64 is used in Srp256.

Also be sure that key generated by srp and passed to rc4 is never reused and hardly can be called poorly implemented - it is SRP session key which has a very high quality, at least I've never used to know about problems with it. I.e. in our(!) case rc4 is not that bad, but certainly (specially from further development POV) chacha is better.

AlexPeshkoff avatar Oct 24 '25 05:10 AlexPeshkoff