[feature request] - Using AES-GCM instead of CBC
I was developing some small utility, I got this warning in the browser:
AES-CBC and AES-CTR do not provide authentication by default,
and implementing it manually can result in minor, but serious mistakes.
We recommended using authenticated encryption like AES-GCM to protect
against chosen-ciphertext attacks.
Which makes sense, KDBX is used for storing data alongside secrets, GCM helps in checking if data is tampered or not. Should look into it
I am assuming the project is dead
@Sparkenstein Keeweb itself is very much alive. Currently, we're working on v1.19.0, and this library is what I'm focusing on to address old packages.
Once I get Keeweb v1.19 released, I'll focus on adding additional things to this package. Right now this needs to be updated to support the new WebDAV functionality coming, and also address an old package which has an issue.
Thanks, Would like contributions? I already looked into it last month or so but considering there was no activity on library I thought the changes might not get merged so I gave up.
if you are active I can look into contributing again. as far as I understand entire implementation is here: https://github.com/keeweb/kdbxweb/blob/master/lib/crypto/crypto-engine.ts#L74
and we just need additional file that has GCM (assuming we will not remove CBC for backward compatibility)
If you're up for contributing and think you can provide a solid and acceptable solution, I'm all for it, as long as it's not hacky. I have to keep security in mind with an app like this, so obviously all submissions need to be rigorously vetted to ensure we're not introducing a vulnerability that will bite us in the rear later.
But if you think you can get a working copy going, by all means, make the changes and submit it and I'll review it. It would be nice to get some contributions. I've got a list of about 30 things, and not enough fingers to produce it fast enough.
and we just need additional file that has GCM (assuming we will not remove CBC for backward compatibility)
Yeah, we can't remove CBC unless some major issue arises, but I don't have a problem with an addition.
if you are active I can look into contributing again
I'm active for Keeweb every day. Just sitting in the background coding. Right now I have 23 files I need to commit that I've worked on all this week, but I haven't finished up this group of fixes / changes.