kdbxweb icon indicating copy to clipboard operation
kdbxweb copied to clipboard
verified publisher icon keeweb

[feature request] - Using AES-GCM instead of CBC

Open Sparkenstein opened this issue 1 year ago • 4 comments

I was developing some small utility, I got this warning in the browser:

image

AES-CBC and AES-CTR do not provide authentication by default, 
and implementing it manually can result in minor, but serious mistakes. 
We recommended using authenticated encryption like AES-GCM to protect 
against chosen-ciphertext attacks.

Which makes sense, KDBX is used for storing data alongside secrets, GCM helps in checking if data is tampered or not. Should look into it

Sparkenstein avatar Jun 15 '24 07:06 Sparkenstein

I am assuming the project is dead

Sparkenstein avatar Nov 10 '24 17:11 Sparkenstein

@Sparkenstein Keeweb itself is very much alive. Currently, we're working on v1.19.0, and this library is what I'm focusing on to address old packages.

Once I get Keeweb v1.19 released, I'll focus on adding additional things to this package. Right now this needs to be updated to support the new WebDAV functionality coming, and also address an old package which has an issue.

Aetherinox avatar Dec 23 '24 01:12 Aetherinox

Thanks, Would like contributions? I already looked into it last month or so but considering there was no activity on library I thought the changes might not get merged so I gave up.

if you are active I can look into contributing again. as far as I understand entire implementation is here: https://github.com/keeweb/kdbxweb/blob/master/lib/crypto/crypto-engine.ts#L74

and we just need additional file that has GCM (assuming we will not remove CBC for backward compatibility)

Sparkenstein avatar Dec 26 '24 13:12 Sparkenstein

If you're up for contributing and think you can provide a solid and acceptable solution, I'm all for it, as long as it's not hacky. I have to keep security in mind with an app like this, so obviously all submissions need to be rigorously vetted to ensure we're not introducing a vulnerability that will bite us in the rear later.

But if you think you can get a working copy going, by all means, make the changes and submit it and I'll review it. It would be nice to get some contributions. I've got a list of about 30 things, and not enough fingers to produce it fast enough.

and we just need additional file that has GCM (assuming we will not remove CBC for backward compatibility)

Yeah, we can't remove CBC unless some major issue arises, but I don't have a problem with an addition.

if you are active I can look into contributing again

I'm active for Keeweb every day. Just sitting in the background coding. Right now I have 23 files I need to commit that I've worked on all this week, but I haven't finished up this group of fixes / changes.

Aetherinox avatar Dec 27 '24 10:12 Aetherinox