AArnott
commented
3 years ago Switching from AesCbcPkcs7 to AesCcm breaks tests because PclCrypto hasn't implemented CCM block mode, it seems.
I wonder if CCM has padding or if we'd have to solve that another way as well.
Particularly in the streaming case, where decryption happens and may result in content being played back to the user, authentication of the message (i.e. confirming the hash matches) only happens at the end. So tampering is detected, but only after the content is played. To fix this, streaming messages (and perhaps all messages) should use an authenticating encryption cipher so that any tampering is immediately detected during streaming decryption. This may be in addition to the hash check at the end as well so that the rest of the ironpigeon protocol remains unchanged.