On 17/06/2015 02:11, Maarten Bodewes wrote: 

> Hi rsyncrypto devs,
> 
> I've tried reading the source code but I cannot see if there is any signature 
> or MAC added to the ciphertext. Is it possible that this protocol is 
> vulnerable to padding Oracle attacks (in addition to changes to the 
> ciphertext / plaintext)? Or am I mistaken about that?

My home internet connection is fried at the moment. It will take me a
couple of days to give you a properly researched answer. 

In a nutshell, I will say this: 

        * I was not previously aware of the padding oracle attack. Off the top
of my head, the attack's premise seems counter to how rsyncrypto is
typically used, but I'm open to hear of differing opinions.
        * There is no signature protecting the entire file. I'll elaborate
when I'm not at work (in a couple of days, I hope)
        * If memory serves me right, the padding is not checked. This also
violates the premise that POA relies upon. Then again, it might be an
opening to a whole host of other problems I'm unaware of. Feel free to
chime in. I always appreciate constructive feedback.

> Is there any clear protocol description that would show how the ciphertext is 
> constructed together?

There is http://rsyncrypto.lingnu.com/index.php/Algorithm. If you find
it lacking, please tell me what you need more, and I'll try to add it. 

Also, please checkout out the future plans, as it contains some known
weaknesses and my plans of how to address them. 

Shachar 
 
------------------------------------------------------------------------------
_______________________________________________
Rsyncrypto-devel mailing list
Rsyncrypto-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rsyncrypto-devel

Reply via email to