Closed terrorbyte closed 7 years ago
Hey, thanks for taking a look. Actually those are just wrapper functions. The actual authentication takes place here:
Let me know if this is what you were looking for.
I'm specifically discussing the usage of AES-CBC on both of the linked lines. Specifically the invocation of CryptoJS.mode.CBC
Does using AES-GCM offer any advantages (besides easier implementation) over manual encryption + auth with AES-CBC + HMAC?
Ah, I see what you were saying in the above comment, I didn't see the HMAC. You are doing EtM in that so it seems to be solid. Sorry to waste your time!
No worries, scared me for a sec ;)
Issue
The web interfaces is using AES-CBC and is not using standard AE (Authenticated Encryption) algorithms, which makes it vulnerable to specific cryptographic attacks.
See:
Resolution
Use AES-GCM or comparable algorithms for future proofing.
Location