Closed rugk closed 4 months ago
You should give Why AES-GCM Sucks a read.
Also, does Molly use CBC with HMAC (for encrypting preferences)?, HMAC is widely used and might have better provable security than GMAC¹.
With encrypt-then-mac or mac-then-encrypt?
FYI that question is answered by the sentence immediately following the one you quoted:
The preference name and the encrypted value are hashed together with HMAC-SHA256, and stored together with the encrypted value, providing authenticated encryption for the preferences.
I appreciate all input. As previously mentioned, I find no strong justification for changing this, and adding complexity to perform the migration seems unnecessary.
However, if there's any vulnerability in the current encryption, it should be identified and reported accordingly.
Is there an existing request for this?
Feature description
With encrypt-then-mac or mac-then-encrypt?
CBC mode is brittle and can easily be insecure due to the way authentication can accidentally be mishandled.
https://security.stackexchange.com/questions/210072/why-does-ssl-labs-now-consider-cbc-suites-weak https://crypto.stackexchange.com/questions/3883/why-is-cbc-with-predictable-iv-considered-insecure-against-chosen-plaintext-atta
Better switch to AES GCM mode, with authenticated data (in case you need it) or similar.