Switch to AES GCM or better

[rugk]

Is there an existing request for this?

• [X] I have searched the existing issues

Feature description

Molly encrypts preferences value using AES-256 CBC mode.

With encrypt-then-mac or mac-then-encrypt?

CBC mode is brittle and can easily be insecure due to the way authentication can accidentally be mishandled.

https://security.stackexchange.com/questions/210072/why-does-ssl-labs-now-consider-cbc-suites-weak https://crypto.stackexchange.com/questions/3883/why-is-cbc-with-predictable-iv-considered-insecure-against-chosen-plaintext-atta

Better switch to AES GCM mode, with authenticated data (in case you need it) or similar.

[ghost]

You should give Why AES-GCM Sucks a read.

Also, does Molly use CBC with HMAC (for encrypting preferences)?, HMAC is widely used and might have better provable security than GMAC¹.

¹Don't take my word for it though.

[sigmafn]

With encrypt-then-mac or mac-then-encrypt?

FYI that question is answered by the sentence immediately following the one you quoted:

The preference name and the encrypted value are hashed together with HMAC-SHA256, and stored together with the encrypted value, providing authenticated encryption for the preferences.

[valldrac]

I appreciate all input. As previously mentioned, I find no strong justification for changing this, and adding complexity to perform the migration seems unnecessary.

However, if there's any vulnerability in the current encryption, it should be identified and reported accordingly.