php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33256 treatment of initial vectors invalidates algorithm
Submitted: 2005-06-06 14:34 UTC Modified: 2005-09-01 14:57 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bwise837 at users dot sourceforge dot net Assigned: derick (profile)
Status: Not a bug Package: mcrypt related
PHP Version: 5.0.4 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bwise837 at users dot sourceforge dot net
New email:
PHP Version: OS:

 

 [2005-06-06 14:34 UTC] bwise837 at users dot sourceforge dot net
Description:
------------
The initial vectors are treated in MCRYPT in a way
that invalidates the algorithms. This appears to apply
to all PHP version, all algorithms, all modes.

Diligent searching of the bug database does not reveal
any similar bug reports. This is a fundamental design
error, not a minor problem like '\0' line terminators
getting trimmed when decrypting binary data.

The example on page
http://us4.php.net/manual/en/function.mcrypt-module-open.php
clearly shows that decryption does not merely require the N bits of the "secret key" to decrypt, but also the M bits of 
the "initial vector" to decrypt. This is NOT the way initial
vectors are used in standard cryptography, as documented
by Schneier, Koblitz, Rivest, et al. You have wrapped the
encryption algorithm (all algorithms, all modes) in another,
creating a new encryption algorithm that requires an N+M
bit secret key to decrypt. This is a VERY SERIOUS error.
Schneier's writings are full of examples of how such simple 
changes, that naivley look like improvements, can sometimes
break the security of the algorithm. Maybe it did here, maybe not: a fully cryptanalysis is required to determine
if the new N+M-bit-key algorithm is as good as the
N-bit-key algorithm on which it was based. Until then, it
can't be trusted.

I'm sorry to say such strong things, but I happen to have 
a mathematical background in cryptography, and I'm shocked
to find such an elementary and gross error.

There is a simple work around, and I'd be happy to send
a php script I've made which demos it. The essence is to
always use a public, constant string for the MCRYPT-style
IV, while using a secret, random string for the standard-
style IV. This adds one extra block to the cipher text length, but that is a small price to pay for undoing a
terribly wrong design decision.

(The script is more than 20 lines, and I don't have
my own website up yet. But it's a simple fix.)


Reproduce code:
---------------
from http://us4.php.net/manual/en/function.mcrypt-module-open.php
<?php
   $td = mcrypt_module_open('rijndael-256', '', 'ofb', '');
   $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_DEV_RANDOM);
   $ks = mcrypt_enc_get_key_size($td);
   $key = substr(md5('very secret key'), 0, $ks);
   mcrypt_generic_init($td, $key, $iv);
   $encrypted = mcrypt_generic($td, 'This is very important data');
   mcrypt_generic_deinit($td);

   /* Initialize encryption module for decryption */
   mcrypt_generic_init($td, $key, $iv);
   $decrypted = mdecrypt_generic($td, $encrypted);
   mcrypt_generic_deinit($td);
   mcrypt_module_close($td);
   echo trim($decrypted) . "\n";
?> 

Expected result:
----------------
I would expect, as per textbook cryptography, to be
able to decrypt the string using ONLY the secret key:

In cryptography, the reverse of security by obscurity is Kerckhoffs' principle from the late 1880s, which states that system designers should assume that the entire design of a security system is known to all attackers, with the exception of the cryptographic key: "the security of a cypher resides entirely in the key". 

from 

http://www.answers.com/topic/security-through-obscurity

Actual result:
--------------
Both the IV and 'secret key' are needed to decrypt,
in violation of Kerckhoff's laws.

Outside MCRYPT, for every single algorithm and mode, only
the secret key is required to decrypt. This alone mathematically proves that MCRYPT is implementing different
algorithms with different true keys ('true key' = what is
required to decrypt = 'secret key' + MCRYPT-style 'IV') than
the algorithms which it claims to implement.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-06-06 18:34 UTC] iliaa@php.net
Could you please put the script you've mentioned as a text file some website so that it can be downloaded?
 [2005-06-09 13:18 UTC] bwise837 at users dot sourceforge dot net
An example script with thorough comments is here:
http://www.oceanofstones.net/mcrypt-problem.php
 [2005-09-01 14:57 UTC] derick@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php


 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Mar 03 03:01:24 2021 UTC