search

voodooEntity / go-tachicrypt

A experimental cli tool to encrypt & decrypt files/directories.
Apache License 2.0
13 stars 3 forks source link

Possible known cleartext issue #5

Open voodooEntity opened 2 days ago

voodooEntity commented 2 days ago

Due to using zip as format before encrypting, there is a possible issue with "known cleartext attack" towards the zip's header.

While in theory you first must figure out which part is the actual "first" part, there still is the issue that this attack may help weaken the encryption of at least the first part.

There are two possible solutions to mitigate this issue:

  1. Figure out the exact length of the zip header bytes and remove them before encrypting (and add them when decrypting again)
  2. Remove zip as layer and instead implement a custom method of gathering the file(s) and directory(ies).
voodooEntity commented 2 days ago

Zip header definition: https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT 4.3