Open GoogleCodeExporter opened 9 years ago
Seem to have garbled my submission. The middle paragraph should read:
Second, stream ciphers like RC4 should never use the same key on more than one
message. From a cursory glance through the code, it seems CryptSync uses the
hash of the user's password as the key for RC4 for each and every filename.
This is completely insecure and causes key and message leakage. In this case,
this means that due to the reuse of the same key for each filename, if
attackers can obtain several encrypted filenames this will be sufficient to
obtain both the unencrypted filenames and also the key used to encrypted them
(the MD5 hashed password).
Original comment by belt...@ymail.com
on 11 Feb 2015 at 2:38
Original issue reported on code.google.com by
belt...@ymail.com
on 11 Feb 2015 at 2:31