Apteryks
commented
3 years ago The CVE linked above seems to only affects applications not using hybrid (public/private) crypto, which sflvault does, so it should be safe, FWIW.
Open Apteryks opened 3 years ago
Apteryks
commented
3 years ago The CVE linked above seems to only affects applications not using hybrid (public/private) crypto, which sflvault does, so it should be safe, FWIW.
maximest-pierre
commented
3 years ago There is actually some hybrid crypto going on in the background deep somewhere if my memories serve because back when I used to work at SFL, we actually did talk about that CVE more than once.
There is no way to go forward since pycryptodome has no support for ElGamal.
Apteryks
commented
3 years ago @maximest-pierre Thanks for tipping in. The author of pycryptodome points to RSA as a suitable replacement for ElGamal; we should evaluate how complex a transition to it would be.
There's at least one CVE which has gone unfixed, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6594. The corresponding (unfixed) issue is https://github.com/pycrypto/pycrypto/issues/253.
There's an actively maintained forked of pycrypto which is https://github.com/Legrandin/pycryptodome, but it removed rather than fixed the support for ElGamal encryption/decryption that sflvault relies on, so migration is non trivial.
Also see https://www.chenweikeng.com/elgamal.html and the question here: https://github.com/Legrandin/pycryptodome/issues/504.