Olaf Seibert wrote: > On Sat 16 Feb 2013 at 20:21:48 +0530, Mosh wrote: > > 1. It is working correctly as designed, see the specs on how encryption > > works: > > http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation > > and note the details on single bit corruption and its effect on blocks, > > and error propagation across blocks. > > The code in Vim uses the words "Output feedback mode" and the 3 letters > "ofb" in a few places around bf_crypt_encode(), thereby suggesting that > it is indeed using the Output FeedBack mode. > > However that isn't actually true. The code isn't really clear but I > think it seems most like CFB: the plaintext is XORed with the output > from the block cypher and given back to the block cypher in the next > block. This became visible only when I drew a picture and compared it > with those on the wikipedia page. > > It looks like that without the macro "BF_OFB_UPDATE" the code would > actually implement OFB.
Right, it looks like the code is doing CFB instead of OFB. > > 2. > > >> This attack allows someone to modfiy encrypted files so that the owner > > >> doesn't notice. With sufficient tries or skill it might be possible to > > >> change a file's values in a predictable way at a certain offset. > > > > This argument is not true for blowfish or any good encryption algorithm. > > Actually it can definitely be true. And that isn't due to a deficiency > in Blowfish or its implementation, but when OFB mode is used. And as > long as the code suggest that OFB indeed is used, this counts as a > vulnerability in itself. > > As you can see at > http://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Output_feedback_.28OFB.29 > when decrypting in OFB mode, a corruption in one cyphertext block does > *not* propagate to any next block! In effect, the block cypher is merely > used to generate a stream of pseudo-random bits which are > XORed with the plain text to generate the ciphertext. > > Which means that an attacker can trivially flip any bits in the file > that (s)he wishes. So, CFB is better than OFB? Then we are fine. > Note I'm not a professional cryptographer, but I've made a few crypto > thingies in the past and got lambasted for the stupid mistakes I made in > them. This taught me that it is much more difficult to get it right > than to get it wrong, and about some of the mistakes that any > non-careful implementer oh so easily makes. > > I would suggest updating the terminology in blowfish.c, and then have > another few people look at it to triple-check it. > > Oh, and I too think that decrypting to garbage without an error message > is really the wrong thing to do. It does make an attack more complicated. Even more so when compressing the text before encrypting it. -- hundred-and-one symptoms of being an internet addict: 142. You dream about creating the world's greatest web site. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
