[Security] Use random IV for encryption

[FlorianPicca]

Description

Files are encrypted using a key and IV derived from the password. Because this process is entirely deterministic, every file will be encrypted with the same Key/IV pair, which completely breaks the confidentiality offered by the GCM mode of operation. You can find more information about why this is bad here.

Impact

An attacker with access to encrypted files (which might require root privileges) and knowledge of a single photo, can decrypt and view every other photos without knowing the password.

Recommandation

Use a randomly generated IV for each encryption operation.

[leonlatsch]

Thank you for this submission. A similar issue was reported a while back but this one really breaks it down, so I will keep it open.

I may change the title and keep this as a todo for the future.

[leonlatsch]

Was reported in #177.

[leonlatsch]

Implementing this means we need some kind of migration for the users files, aswell as a new backup restoring version.

[FlorianPicca]

I did not see the previous issue, but I do agree with the author. The other issues discussed there are legit and I didn't report them here because I wanted to focus on the main problem, which is the IV handling.

If you want to use a better key derivation function than SHA256, you might want to look at this ressource which recommends argon2id like mentioned in the previous issue. You might even want to change your password storage mechanisms to use that.

[leonlatsch]

I have made a concept for a new encryption

https://excalidraw.com/#json=nGOvK_cvBiSmj9H2zC_Ms,kfxrwsOVJvm42KVdfAkOmg