search

bitdust-io / devel

BitDust project source codes development cycle, official Development Git repository (mirror on GitHub) : https://bitdust.io
GNU Affero General Public License v3.0
23 stars 14 forks source link

Cryptographic API Misuse Vulnerability #777

Closed gxx777 closed 11 months ago

gxx777 commented 12 months ago

Hello! First and foremost, I would like to express my sincere gratitude for your contributions to this project.

Description:

I have identified a security vulnerability in BitDust project's about PBKDF issues.

  1. Insufficient Iteration Count for Key Derivation: The number of iterations used for key derivation in PBE is less than the recommended minimum of 1,000 iterations. This makes the derived keys more susceptible to brute-force attacks.
  2. Use of Constant or Zero Salts: The application uses a constant, default zero salt value for key derivation in PBE. Salts are critical for ensuring that the output of a key derivation function is unique even when the same password is used multiple times. Using a constant salt negates this security feature and makes the system vulnerable to certain types of cryptographic attacks, such as rainbow table attacks.

Locations:

  1. low iterations https://github.com/bitdust-io/devel/blob/master/bitdust_forks/Bismuth/bismuthclient/bismuthcrypto.py#L215 https://github.com/bitdust-io/devel/blob/master/bitdust_forks/Bismuth/bismuthclient/simplecrypt.py#L149

  2. default zero salt https://github.com/bitdust-io/devel/blob/master/bitdust_forks/Bismuth/bismuthclient/bismuthcrypto.py#L218 https://github.com/bitdust-io/devel/blob/master/bitdust_forks/Bismuth/bismuthclient/simplecrypt.py#L149

References:

CWE-330: Use of Insufficiently Random Values CWE-326: Inadequate Encryption Strength

Recommendations:

  1. Increase Iteration Count: Update the PBKDF function to use a higher iteration count. Conduct performance tests to determine the optimal count that balances security with usability.
  2. Random Salt Generation: Implement a secure random salt generator for each PBE operation and ensure that salts are stored or transmitted securely alongside the ciphertext.

Immediate attention to this issue is recommended to maintain the privacy and security of BitDust users.

vesellov commented 11 months ago

Thank you @gxx777 !

Good catch.

Luckily the keys_gen() method is not used anywhere in the code. I will remove it in the next PR.