On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote: > 1. It is working correctly as designed, see the specs on how encryption > works: > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation > and note the details on single bit corruption and its effect on blocks, > and error propagation across blocks.
The code in Vim uses the words "Output feedback mode" and the 3 letters "ofb" in a few places around bf_crypt_encode(), thereby suggesting that it is indeed using the Output FeedBack mode. However that isn't actually true. The code isn't really clear but I think it seems most like CFB: the plaintext is XORed with the output from the block cypher and given back to the block cypher in the next block. This became visible only when I drew a picture and compared it with those on the wikipedia page. It looks like that without the macro "BF_OFB_UPDATE" the code would actually implement OFB. > 2. > >> This attack allows someone to modfiy encrypted files so that the owner > >> doesn't notice. With sufficient tries or skill it might be possible to > >> change a file's values in a predictable way at a certain offset. > > This argument is not true for blowfish or any good encryption algorithm. Actually it can definitely be true. And that isn't due to a deficiency in Blowfish or its implementation, but when OFB mode is used. And as long as the code suggest that OFB indeed is used, this counts as a vulnerability in itself. As you can see at http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_feedback_.28OFB.29 when decrypting in OFB mode, a corruption in one cyphertext block does *not* propagate to any next block! In effect, the block cypher is merely used to generate a stream of pseudo-random bits which are Note I'm not a professional cryptographer, but I've made a few crypto thingies in the past and got lambasted for the stupid mistakes I made in them. This taught me that it is much more difficult to get it right than to get it wrong, and about some of the mistakes that any non-careful implementer oh so easily makes. I would suggest updating the terminology in blowfish.c, and then have another few people look at it to triple-check it. Oh, and I too think that decrypting to garbage without an error message is really the wrong thing to do. -Olaf. -- ___ Olaf 'Rhialto' Seibert -- The Doctor: No, 'eureka' is Greek for \X/ rhialto/at/xs4all.nl -- 'this bath is too hot.'
pgpZu1_AYNZV3.pgp
Description: PGP signature
