Ulrik, Any one random bit flip will cause to one block (8 bytes) to be corrupted at that point, and then all bytes thereafter will be corrupted. Not just 1 bit corruption in encrypted text.
And if you encrypt two text files with 1 bit difference, they should be completely different when encrypted. Even same text file will come out different each time it is written encrypted. Because a random seed is also used. Let me do more tests, and check how you got 1 bit difference. I am using an older gvim73, that I compiled myself. thanks for the report, mohsin On Fri, Feb 15, 2013 at 5:37 AM, Ulrik <[email protected]> wrote: > On 2013-02-14 22:08, Bram Moolenaar wrote: >> >> Ulrik Sverdrup wrote: >> >>> The blowfish encryption mode is vulnerable (not to revelation of the >>> plaintext), but the encryption is not checked for integrity or >>> authenticity. This means that someone might corrupt the encrypted file >>> (hexedit or similar), and vim will decrypt it without notice of error or >>> warning. >>> >>> This attack allows someone to modfiy encrypted files so that the owner >>> doesn't notice. With sufficient tries or skill it might be possible to >>> change a file's values in a predictable way at a certain offset. >>> >>> The solution is an authenticated encryption mode. The common way to do >>> it is 'Encrypt-then-MAC' where a message authentication code is formed >>> from the ciphertext and the key. This code when matching will prove that >>> the document is unchanged and was produced by someone with access to the >>> key. This code will detect the previous attack case, and additionally it >>> allows vim to detect that the wrong password was entered. Security >>> practise says that Vim must fail with an error if the MAC does not match. >> >> I think that a verification key will actually make it easier to crack >> the password. Currently, when an attacker tries all kinds of passwords, >> he also needs a way to verify the decrypted text is actually readable. >> That is not so easy to do. With a verification key the verify part >> becomes really easy and fast. >> >> It is extremely difficult to change the file in a way that after >> decryption it is readable text. Probably just as difficult as cracking >> the password. When knowing that a file is only plain text, checking for >> invalid Unicode characters is probably sufficient to notice that the >> decryption failed. >> > > Using Vim 7.3 patches 1-547, this is not true, and it is trivially > testable (otherwise I would not have claimed it). > > Using :set cm=blowfish :X goodenough > I produced file A that ends with "I owe you 200 USD" > > using hex editor I flipped 1 single bit to produce file B, that ends > with "I owe you 300 USD". You can diff the two binary files by using: > > diff <(xxd A) <(xxd B) > > a one-bit difference in the ciphertext leads to a one-bit difference in > the plain text, and we have a false document and undedetected corruption. > > To reproduce, here are files A and B: > > xxd -r >A <<EOF > 0000000: 5669 6d43 7279 7074 7e30 3221 4638 a780 VimCrypt~02!F8.. > 0000010: 332a 14a3 e680 d2dd 2003 d079 9b8a 6ca7 3*...... ..y..l. > 0000020: 0e43 da8b b1bb 6aad 0f1a c38c f4ba 24ba .C....j.......$. > 0000030: 181b c7d6 9b8a 6ca7 0e43 da8b b1bb 6aad ......l..C....j. > 0000040: 0f1a c38c f4ba 24ba 181b c7d6 9b8a 6ca7 ......$.......l. > 0000050: 0e43 da8b b1bb 6aad 0f1a c38c ec09 c98f .C....j......... > 0000060: 2322 0fd6 1aff 59b1 47cc a61f 5a62 c89c #"....Y.G...Zb.. > 0000070: eba3 d824 ec09 c98f 2322 0fd6 1aff 59b1 ...$....#"....Y. > 0000080: 47cc a61f 5a62 c89c eba3 d824 ec09 c98f G...Zb.....$.... > 0000090: 2322 0fd6 1aa1 78f8 5b9b aa4c dbfb 6d56 #"....x.[..L..mV > 00000a0: 32e5 962e b15c 000a f6 2....\... > EOF > > xxd -r >B <<EOF > 0000000: 5669 6d43 7279 7074 7e30 3221 4638 a780 VimCrypt~02!F8.. > 0000010: 332a 14a3 e680 d2dd 2003 d079 9b8a 6ca7 3*...... ..y..l. > 0000020: 0e43 da8b b1bb 6aad 0f1a c38c f4ba 24ba .C....j.......$. > 0000030: 181b c7d6 9b8a 6ca7 0e43 da8b b1bb 6aad ......l..C....j. > 0000040: 0f1a c38c f4ba 24ba 181b c7d6 9b8a 6ca7 ......$.......l. > 0000050: 0e43 da8b b1bb 6aad 0f1a c38c ec09 c98f .C....j......... > 0000060: 2322 0fd6 1aff 59b1 47cc a61f 5a62 c89c #"....Y.G...Zb.. > 0000070: eba3 d824 ec09 c98f 2322 0fd6 1aff 59b1 ...$....#"....Y. > 0000080: 47cc a61f 5a62 c89c eba3 d824 ec09 c98f G...Zb.....$.... > 0000090: 2322 0fd6 1aa1 78f8 5b9b aa4c dbfb 6d56 #"....x.[..L..mV > 00000a0: 33e5 962e b15c 000a f6 3....\... > EOF > > > Note: I didn't search or brute force this, I only counted the right byte > offset in the file and flipped a bit. I really hope I am somehow > mistaken, but I don't think I am. > > Regarding quickening brute force by using a MAC, this is a false, the > MAC can have equivalent security factor to the block cipher, it should > really not be a concern. > > HTH, > ulrik > > PS. the password is 'goodenough' literally. > > -- > -- > You received this message from the "vim_dev" maillist. > Do not top-post! Type your reply below the text you are replying to. > For more information, visit http://www.vim.org/maillist.php > > --- > You received this message because you are subscribed to the Google Groups > "vim_dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
