Closed franziskuskiefer closed 4 years ago
raphaelrobert
commented
4 years ago I'm concerned this could introduce another attack:
If an attacker send completely bogus messages to a recipient, the recipient will now blindly increase the counter. When the recipient afterwards receives a valid message, they will not be able to decrypt it because of FS.
franziskuskiefer
commented
4 years ago If an attacker send completely bogus messages to a recipient, the recipient will now blindly increase the counter. When the recipient afterwards receives a valid message, they will not be able to decrypt it because of FS.
Sure, with the mechanisms currently available (the counter). There will always be one attack or the other.
raphaelrobert
commented
4 years ago The counter is covered by the MAC, so an attacker couldn't manipulate the counter with bogus messages (where the verification fails) until now. With this PR an attacker can increase the counter by sending any random message.
franziskuskiefer
commented
4 years ago Right, but at the moment an attacker can invalidate messages and thus produce a TooDistantFuture error that (if performed in both directions) is unrecoverable.
franziskuskiefer
commented
4 years ago Fixes https://github.com/wireapp/security/issues/22 @raphaelrobert how do you want to proceed here?
franziskuskiefer
commented
4 years ago @raphaelrobert can you review? Not counting anymore on failure, but properly handling decryption.
raphaelrobert
commented
4 years ago If we don't do any other changes we should bump the version number.
In this PR I change when the counter gets increased. Before it was not increased when the decryption failed (invalid tag). Now the counter is increased even if the decryption fails.