Suggested use of encrypt_key and secret option weakens encryption

[schlenk]

The docs suggest to only use encrypt_key/validate_key options, instead of the secret option.

secret triggers the use of the SignedCookie implementation, which HMAC's the data, while encrypt_key / validate_key just encrypts (with CBC or CTR modes, depending on backend used).

As the encryption code does not use any AEAD ciphers (CTR and CBC mode, but not GCM), this leads to using a non-authenticated encryption, when only using 'encrypt_key' but not 'secret'.

Using both would provide a safer encrypt-then-MAC style, similar to GCM.

I would suggest to use the validate_key instead of secret for the HMAC (and drop it from the weird generateCryptoKeys call) and always use SignedCookies or to fix the documentation and remove the These options should then be used instead of the secret option listed above. sentence.

The docs also lie about this, as the session doc states: All cookies are signed with an HMAC signature to prevent tampering by the client.

See https://blog.cryptographyengineering.com/2012/05/19/how-to-choose-authenticated-encryption/ for why you want authenticated encryption.

[amol-]

seems correlates with #41

[schlenk]

yes. Its the same issue just described differently.