Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
Hi, On Sat, 4 Aug 2018 07:29:47 -0700 Hanno Böck wrote: > > Symmetric cryptography is quite conservative and it took years and > > even decades for algorithms and their implementations to become > > trusted, so there is nothing wrong in using good old verified > > software. > > When it comes to cipher modes the fact that people use decades old > modes is a problem. See efail for a prominent example, but there > are many less prominent ones. > > Look at the mcrypt webpage: > http://mcrypt.sourceforge.net/ > > Modes of Operation: > > CBC > CFB > CTR > ECB > OFB > NCFB > > That is a mixture of very insecure (ECB), insecure in most situations > (all others) and totally obscure modes. It doesn't include any > authenticated encryption modes, which in most situations is what you > want to use. I want to use mcrypt for local encryption only, therefore I don't really care about MACs. In my use cases modification tampering is easy to detect by other means. ECB is indeed unsafe and must be avoided (hey, openssl supports ECB as well, let's ban it!). CBC is better, but vulnerable to PODDLE, so I agree on avoiding it as well. As for CTR, (N)CFB, (N)OFB there is nothing obscure about them: they are known for decades and are well studied. There are no direct attacks on these modes known aside from detectable tampering possibility. Best regards, Andrew Savchenko pgpOpfRZo6zw5.pgp Description: PGP signature
Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
On Sat, 4 Aug 2018 13:05:56 -0500 Marty E. Plummer wrote: [...] > It seems that every last person commenting on this is talking mcrypt, > not mhash, which is what I mentioned in the first place. As far as I can > tell, these are entirely differnt projects which just happen to have a > similar name. Yes, they are. But it this very case I'm interested in mcrypt status, not mhash, that's why I changed the subject field of this discussion. Best regards, Andrew Savchenko pgpZBs6CP4JXU.pgp Description: PGP signature
Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
On Sat, Aug 04, 2018 at 11:43:28AM +0300, Andrew Savchenko wrote: > On Mon, 25 Jun 2018 07:59:47 +0200 Hanno Böck wrote: > > On Fri, 22 Jun 2018 21:50:50 -0500 > > "Marty E. Plummer" wrote: > > > > > So, as you may be aware I've been doing some work on moving bzip2 to > > > an autotools based build. Recently I've ran into app-crypt/mhash, > > > which is in a semi-abandoned state (talking with the maintainer on > > > twitter atm), and I was thinking it may be a good idea to set up a > > > project for keeping these semi-abandoned and really-abandoned > > > libraries and projects up to date and such. > > > > This is a common problem, however if you want to make this reasonable > > you wouldn't make it a gentoo thing, but a cross-distro effort. The > > idea has been tossed around a lot, but noone yet started implementing > > it. > > > > However keeping things alive may not always be the right option. > > There's a reason mcrypt is abandoned. It's an ancient crypto library, > > crypto is moving forward, there are better options. > > Do you have any evidence that mcrypt should not be used? > > Symmetric cryptography is quite conservative and it took years and > even decades for algorithms and their implementations to become > trusted, so there is nothing wrong in using good old verified > software. > > Actually for local symmetric encryption this is the best tool I > know. > > Best regards, > Andrew Savchenko It seems that every last person commenting on this is talking mcrypt, not mhash, which is what I mentioned in the first place. As far as I can tell, these are entirely differnt projects which just happen to have a similar name.
Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
On 2018-08-04 16:29, Hanno Böck wrote: >> Do you have any evidence that mcrypt should not be used? > Well, PHP was as far as I'm aware its main user and PHP has declared > mcrypt support to be deprecated a while ago. In all fairness: Yes, PHP project has removed ext/mcrypt from core, but they only moved it into an own PECL extension. My point here is, that they did not drop and prune mcrypt from universe due to security vulnerabilities. Anyone interested in this should read the following posting [1]. tl;dr Like most crypto libs, mcrypt isn't easy to use and you will likely do something wrong. In favor of a better solutions which should prevent such a misuse, mcrypt was deprecated. See also: = [1] https://why-cant-we-have-nice-things.mwl.be/requests/deprecate-then-remove-mcrypt. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
Re: mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
Hi, On Sat, 4 Aug 2018 11:43:28 +0300 Andrew Savchenko wrote: > Do you have any evidence that mcrypt should not be used? Well, PHP was as far as I'm aware its main user and PHP has declared mcrypt support to be deprecated a while ago. > Symmetric cryptography is quite conservative and it took years and > even decades for algorithms and their implementations to become > trusted, so there is nothing wrong in using good old verified > software. When it comes to cipher modes the fact that people use decades old modes is a problem. See efail for a prominent example, but there are many less prominent ones. Look at the mcrypt webpage: http://mcrypt.sourceforge.net/ Modes of Operation: CBC CFB CTR ECB OFB NCFB That is a mixture of very insecure (ECB), insecure in most situations (all others) and totally obscure modes. It doesn't include any authenticated encryption modes, which in most situations is what you want to use. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 pgpVU0M0tWo7W.pgp Description: OpenPGP digital signature
mcrypt status (Re: [gentoo-dev] Idea for a new project: gentoo-libs)
On Mon, 25 Jun 2018 07:59:47 +0200 Hanno Böck wrote: > On Fri, 22 Jun 2018 21:50:50 -0500 > "Marty E. Plummer" wrote: > > > So, as you may be aware I've been doing some work on moving bzip2 to > > an autotools based build. Recently I've ran into app-crypt/mhash, > > which is in a semi-abandoned state (talking with the maintainer on > > twitter atm), and I was thinking it may be a good idea to set up a > > project for keeping these semi-abandoned and really-abandoned > > libraries and projects up to date and such. > > This is a common problem, however if you want to make this reasonable > you wouldn't make it a gentoo thing, but a cross-distro effort. The > idea has been tossed around a lot, but noone yet started implementing > it. > > However keeping things alive may not always be the right option. > There's a reason mcrypt is abandoned. It's an ancient crypto library, > crypto is moving forward, there are better options. Do you have any evidence that mcrypt should not be used? Symmetric cryptography is quite conservative and it took years and even decades for algorithms and their implementations to become trusted, so there is nothing wrong in using good old verified software. Actually for local symmetric encryption this is the best tool I know. Best regards, Andrew Savchenko pgpwPymO8y5c2.pgp Description: PGP signature