Package: bcrypt Version: 1.1-8.1+b1 The bcrypt package is 15 years outdated, with no updates. The last update was 2002-09-13: https://sourceforge.net/projects/bcrypt/files/.
In addition, bug #700758 mentions that bcrypt does not use a secure form of encryption, in that it uses the Blowfish algorithm. Indeed, Blowfish is a 64-bit cipher, and is vulnerable to the Sweet32 Birthday attack. See https://sweet32.info/. Further, it uses Blowfish in ECB mode (as bug #700758 mentions). ECB mode retains structure of the file that it encrypts, and should never be used as a serious mode of encryption. Continuing, aside from using an ECB mode, the encryption is not authenticated using a message authentication code (MAC). As such, the encrypted data is subject to bit flipping attacks, replay attacks, and other vulnerabilities. If that's not bad enough, the term `bcrypt' is actually a password hashing function with a tunable parameter as a CPU cost. However, this package is not doing password hashing, but instead doing only Blowfish encryption. See https://en.wikipedia.org/wiki/Bcrypt versus https://en.wikipedia.org/wiki/Blowfish_(cipher). Blowfish is not bcrypt, and bcrypt is not Blowfish. In the manpage, it provides http://www.counterpane.com/bfsh-koc.zip as a link to download the original Blowfish sources, but that link redirects to https://www.globalservices.bt.com/uk/en/products_category/security_and_risk_management. Further, the domain to the email address of <jshel...@ictransnet.com> is no longer valid. Due to the bugs: * Using Blowfish * Using ECB mode * Not using authenticated encryption * Manpage outdated * Package incorrectly named (confusing with the password hashing alg.) * Sources outdated This package should just be dropped from the repositories. -- . o . o . o . . o o . . . o . . . o . o o o . o . o o . . o o o o . o . . o o o o . o o o
signature.asc
Description: PGP signature
