Open FlorianPicca opened 1 year ago
leonlatsch
commented
1 year ago Thank you for this submission. A similar issue was reported a while back but this one really breaks it down, so I will keep it open.
I may change the title and keep this as a todo for the future.
leonlatsch
commented
1 year ago Was reported in #177.
leonlatsch
commented
1 year ago Implementing this means we need some kind of migration for the users files, aswell as a new backup restoring version.
FlorianPicca
commented
1 year ago I did not see the previous issue, but I do agree with the author. The other issues discussed there are legit and I didn't report them here because I wanted to focus on the main problem, which is the IV handling.
If you want to use a better key derivation function than SHA256, you might want to look at this ressource which recommends argon2id like mentioned in the previous issue. You might even want to change your password storage mechanisms to use that.
Description
Files are encrypted using a key and IV derived from the password. Because this process is entirely deterministic, every file will be encrypted with the same Key/IV pair, which completely breaks the confidentiality offered by the GCM mode of operation. You can find more information about why this is bad here.
Impact
An attacker with access to encrypted files (which might require root privileges) and knowledge of a single photo, can decrypt and view every other photos without knowing the password.
Recommandation
Use a randomly generated IV for each encryption operation.