Package: bcrypt
Version: 1.1-8.1+b1
The bcrypt package is 15 years outdated, with no updates. The last update was
2002-09-13: https://sourceforge.net/projects/bcrypt/files/.
In addition, bug #700758 mentions that bcrypt does not use a secure form of
encryption, in that it uses the Blowfish algorithm. Indeed, Blowfish is a
64-bit cipher, and is vulnerable to the Sweet32 Birthday attack. See
https://sweet32.info/.
Further, it uses Blowfish in ECB mode (as bug #700758 mentions). ECB mode
retains structure of the file that it encrypts, and should never be used as a
serious mode of encryption.
Continuing, aside from using an ECB mode, the encryption is not authenticated
using a message authentication code (MAC). As such, the encrypted data is
subject to bit flipping attacks, replay attacks, and other vulnerabilities.
If that's not bad enough, the term `bcrypt' is actually a password hashing
function with a tunable parameter as a CPU cost. However, this package is not
doing password hashing, but instead doing only Blowfish encryption. See
https://en.wikipedia.org/wiki/Bcrypt versus
https://en.wikipedia.org/wiki/Blowfish_(cipher). Blowfish is not bcrypt, and
bcrypt is not Blowfish.
In the manpage, it provides http://www.counterpane.com/bfsh-koc.zip as a link
to download the original Blowfish sources, but that link redirects to
https://www.globalservices.bt.com/uk/en/products_category/security_and_risk_management.
Further, the domain to the email address of is no
longer valid.
Due to the bugs:
* Using Blowfish
* Using ECB mode
* Not using authenticated encryption
* Manpage outdated
* Package incorrectly named (confusing with the password hashing alg.)
* Sources outdated
This package should just be dropped from the repositories.
--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
signature.asc
Description: PGP signature
