Crypto: Not using authenticated encryption

[terrorbyte]

Issue

The web interfaces is using AES-CBC and is not using standard AE (Authenticated Encryption) algorithms, which makes it vulnerable to specific cryptographic attacks.

See:

• https://en.wikipedia.org/wiki/Authenticated_encryption
• https://blog.cryptographyengineering.com/2012/05/19/how-to-choose-authenticated-encryption/

Resolution

Use AES-GCM or comparable algorithms for future proofing.

Location

• https://github.com/standardnotes/web/blob/e79bc29b89489d813e6ea614ce227f0e24881e95/app/assets/javascripts/app/services/helpers/crypto.js#L23
• https://github.com/standardnotes/web/blob/e79bc29b89489d813e6ea614ce227f0e24881e95/app/assets/javascripts/app/services/helpers/crypto.js#L30

[moughxyz]

Hey, thanks for taking a look. Actually those are just wrapper functions. The actual authentication takes place here:

https://github.com/standardnotes/web/blob/master/app/assets/javascripts/app/services/apiController.js#L521

Let me know if this is what you were looking for.

[terrorbyte]

I'm specifically discussing the usage of AES-CBC on both of the linked lines. Specifically the invocation of CryptoJS.mode.CBC

[moughxyz]

Does using AES-GCM offer any advantages (besides easier implementation) over manual encryption + auth with AES-CBC + HMAC?

[terrorbyte]

Ah, I see what you were saying in the above comment, I didn't see the HMAC. You are doing EtM in that so it seems to be solid. Sorry to waste your time!

[moughxyz]

No worries, scared me for a sec ;)