Hi, The blowfish encryption mode is vulnerable (not to revelation of the plaintext), but the encryption is not checked for integrity or authenticity. This means that someone might corrupt the encrypted file (hexedit or similar), and vim will decrypt it without notice of error or warning.
This attack allows someone to modfiy encrypted files so that the owner doesn't notice. With sufficient tries or skill it might be possible to change a file's values in a predictable way at a certain offset. The solution is an authenticated encryption mode. The common way to do it is 'Encrypt-then-MAC' where a message authentication code is formed from the ciphertext and the key. This code when matching will prove that the document is unchanged and was produced by someone with access to the key. This code will detect the previous attack case, and additionally it allows vim to detect that the wrong password was entered. Security practise says that Vim must fail with an error if the MAC does not match. HTH, ulrik -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
