Feature #792

Migrating encryption standard from AES-CBC to GCM

Added by ex1st almost 5 years ago. Updated almost 5 years ago.

Status:NewStart date:02/28/2013
Priority:NormalDue date:
Assignee:harlo% Done:

0%

Category:-
Target version:v2 - "Prusik"
Component:

Description

Via Abel: It appears [1] you are using standard AES-CBC to encrypt the message contents before the stego process. AES-CBC is an unauthenticated form of encryption. I don't see any code doing additional MACing of the ciphertext, so Pixel Knot is vulnerable to active attackers flipping bits as the messages travel on the wire.

I recommend switching to an authenticated encryption cipher mode, namely, GCM.

If you're interested in Authenticated Encryption, Mathew Green's blog post on this is super [2].

[1]:
https://github.com/guardianproject/PixelKnot/blob/master/src/info/guardianproject/pixelknot/crypto/Aes.java#L81

[2]:
http://blog.cryptographyengineering.com/2012/05/how-to-choose-authenticated-encryption.html

History

#1 Updated by abeluck almost 5 years ago

Had to implement GCM in CacheWord, so here's how to do this.

You need to change two things:

1. In Swap "AES/CBC/PKCS5Padding" to "AES/GCM/NoPadding" in Aes.java
2. Securely generate a random 12 byte (96 bits) IV and pass it to the Cipher.init() function

byte[] iv = generateIv(12)
cipher.init(Cipher.XXXX_MODE, secret_key, new IvParameterSpec(iv));

Here's a handy function

private static byte[] generateIv(int length) throws NoSuchAlgorithmException {
        byte[] iv = new byte[length];
        SecureRandom.getInstance("SHA1PRNG").nextBytes(iv);
        return iv;
}

Of course if you want to be backwards compatible, you'll have to write a migration function. Should be pretty simple though.

Also available in: Atom PDF