paragonie-security
commented
2 years ago The section in question says (with our emphasis):
- Encryption (KEM+DEM)
- Generates an random secret value
- Encrypts the random secret value with your RSA public key, using PHPSecLib (RSAES-OAEP + MGF1-SHA256)
- Derives an encryption key from the secret value and its RSA-encrypted ciphertext, using HMAC-SHA256.
- Encrypts your plaintext message using defuse/php-encryption (authenticated symmetric-key encryption)
- Calculates a checksum of both encrypted values (and a version tag)
- Authentication
- Signs a message using PHPSecLib (RSASS-PSS + MGF1-SHA256)
That's the symmetric key (in bold). It's not transmitted; it must be recalculated by the recipient. In order to recalculate the same value, you must be able to decrypt the RSA ciphertext (first step), then HMAC the RSA plaintext with the RSA ciphertext. Only then can you decrypt the actual plaintext.
This strategy is an all-or-nothing derivation, which means you can't exploit padding oracles (provided the subsequent steps are constant-time).
Since you obviously aren't just sending the used symmetric key along unecrypted, there is a step or two in the "Under the Hood" part of the README that is missing to describe it being encrypted again using the public key (I imagine). Not many folks will need that info, but you do have an "Under the Hood" section, and it should be complete.