On Thu, Mar 24, 2016 at 6:08 AM, Bram Moolenaar <b...@moolenaar.net> wrote: > > > Ben Fritz wrote: > > > On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar <b...@moolenaar.net> wrote: > > > The original blowfish encryption is not broken, it's just weaker than it > > > should be. It's still a lot stronger than zip. > > > > Is it? This page makes it sound like "blowfish" was pretty much completely > > broken if you knew any of the plaintext: https://dgl.cx/2014/10/vim-blowfish > > Your definition of broken is wrong. Broken means it doesn't work at > all. e.g., Vim crashes when using it, or when decrypting you can't get > back the original text. When do you call a car broken? When you can't > drive. Not when you can't open the window. >
I call something "broken" when it cannot serve its intended purpose. Cryptography's purpose is to keep data secret. If that article is correct, then with "blowfish" (not "blowfish2") there is a trivial attack that can expose *at least* 64 characters of text in a file without ever knowing the password. I'm not clear on the details (the article hand-waves a bit) but potentially the rest of the file may also be recoverable. If the encrypted file is the basis of a [password manager]( http://www.vim.org/scripts/script.php?script_id=5340) for example, then this is quite bad. At least the first password is probably compromised if an attacker gains access to the file. If anything, this makes "blowfish" *worse* than zip in many scenarios. At least with zip the attacker needs to work for it. > > For example, if you had plugin that always writes a predictable header text > > to an encrypted file before the actual sensitive data, the attacker would > > know some plaintext. I'm certainly not comfortable using "blowfish", > > knowing it had exploitable flaws fixed in blowfish2. I thought "blowfish" > > was just around to let people read their old data (and hopefully convert to > > blowfish2). > > > > And while I can probably *personally* use a strong-enough passphrase to let > > the current too-fast KDF for blowfish2 suffice, I wouldn't recommend it to > > anyone else, since I know most people choose passwords that can fall way > > too fast with modern tools and techniques. I'd consider "blowfish2" to be > > broken for *general use* as well since you need a REALLY good password for > > it to provide any long-term security guarantees. Once we increase the KDF > > iterations sufficiently I would warn when saving in blowfish2 as well, in > > favor of the new method(s) using a better KDF. > > My favorite example is when I have some text that I don't want my > neighbor to read. Any encryption that Vim provides works for that. > That's a straw-man argument. You could also do ggg?G to rot13 the buffer which would keep my neighbor or my kids from reading the file. If that's not enough then a simple plugin to do a Caesar cipher as a BufWritePre/BufRead would also do the trick. But nobody would seriously suggest either of those are secure. Encryption must have a higher standard than keeping out your non-hacker friends. The help entry blowfish and blowfish2 both say "medium strong encryption". An "implementation flaw" is mentioned for blowfish, but IIUC the flaw is severe enough to make it much, much weaker than blowfish2. Why are they both summarized as the same strength? > Also keep in mind that, no matter how strong your encryption is, there > is always a weak point. Rembember key loggers? There never ever is > 100% reliable encryption. > > So please don't overreact. > This is true. Neither Vim nor any other encryption tool will protect from a compromised system. I don't expect Vim to keep me safe from everything. But I do expect, if I encrypt a file with any modern crypto tool, that I don't need to worry if that file is snagged off my cloud storage, or someone steals my USB stick, or something. Representing a crypto implementation as "secure" when it is trivial to recover some number of bytes in a file is going to leak someone's sensitive data because they trusted you. I don't think it's overreacting to say "we shouldn't present weak crypto as strong enough to keep using". Maybe "broken" is too changed a word, I'll stop using it. I'll put it this way: zip - insecure, all of your file can be recovered with commonly available tools. Not recommended. blowfish - insecure, part or all of your file can be recovered with known methods. Not recommended. blowfish2 - secure for small files if you use a very strong password and nobody else has write access. proposed new methods - secure if you don't use a very weak password like "123456", "password", or "letmein". -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
