Feature #792
Migrating encryption standard from AES-CBC to GCM
| Status: | New | Start date: | 02/28/2013 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | harlo | % Done: | 0% | |
| Category: | - | |||
| Target version: | v2 - "Prusik" | |||
| Component: |
Description
Via Abel: It appears [1] you are using standard AES-CBC to encrypt the message contents before the stego process. AES-CBC is an unauthenticated form of encryption. I don't see any code doing additional MACing of the ciphertext, so Pixel Knot is vulnerable to active attackers flipping bits as the messages travel on the wire.
I recommend switching to an authenticated encryption cipher mode, namely, GCM.
If you're interested in Authenticated Encryption, Mathew Green's blog post on this is super [2].
[2]:
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html
History
#1 Updated by abeluck almost 5 years ago
Had to implement GCM in CacheWord, so here's how to do this.
You need to change two things:
1. In Swap "AES/CBC/PKCS5Padding" to "AES/GCM/NoPadding" in Aes.java
2. Securely generate a random 12 byte (96 bits) IV and pass it to the Cipher.init() function
byte[] iv = generateIv(12)
cipher.init(Cipher.XXXX_MODE, secret_key, new IvParameterSpec(iv));
Here's a handy function
private static byte[] generateIv(int length) throws NoSuchAlgorithmException {
byte[] iv = new byte[length];
SecureRandom.getInstance("SHA1PRNG").nextBytes(iv);
return iv;
}
Of course if you want to be backwards compatible, you'll have to write a migration function. Should be pretty simple though.