Report forwarded to debian-bugs-dist@lists.debian.org, dlitz@dlitz.net, dar.linux@free.fr, Debian Security Team <team@security.debian.org>, Brian May <bam@snoopy.debian.net>: Bug#425335; Package dar.
(full text, mbox, link).
Acknowledgement sent to "Dwayne C. Litzenberger" <dlitz@dlitz.net>:
New Bug report received and forwarded. Copy sent to dlitz@dlitz.net, dar.linux@free.fr, Debian Security Team <team@security.debian.org>, Brian May <bam@snoopy.debian.net>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dar: blowfish encryption weakened by frequent IV collisions
Date: Sun, 20 May 2007 18:03:11 -0600
Package: dar
Version: 2.3.2-1
Severity: important
Tags: security
I was looking through the crypto code in dar 2.3.2, and I found what I
think is a weakness in the Blowfish encryption code that results in
frequent initialization vector collisions.
Here is some background information from the dar(1) man page:
-#, --crypto-block <size>
to be able to randomly access data in an archive, it is not
encrypted globally but block by block. You can define the
encryption block size thanks to this argument which default to
10240 bytes. Note that syntax used for -s option is also available
here. Note also that crypto-block is stored as a 32 bits integer
thus value larger than 4GB will cause an error. Note last, that the
block size given here must be provided when reading this resulting
archive (through the -* or -# options). If it is not the correct
one, the archive will not be possible to decrypt, it is thus safe
to keep the default value (and not use at all the -# option).
The offending code is in dar-2.3.2/src/libdar/crypto.cpp (lines 178-194):
178: void blowfish::make_ivec(const infinint & ref, unsigned char ivec[8])
179: {
180: infinint upper = ref >> 32;
181: U_32 high = 0, low = 0;
182:
183: high = upper % (U_32)(0xFFFF); // for bytes (high weight)
184: low = ref % (U_32)(0xFFFF); // for bytes (lowest weight)
185:
186: ivec[0] = low % 8;
187: ivec[1] = (low >> 8) % 8;
188: ivec[2] = (low >> 16) % 8;
189: ivec[3] = (low >> 24) % 8;
190: ivec[4] = high % 8;
191: ivec[5] = (high >> 8) % 8;
192: ivec[6] = (high >> 16) % 8;
193: ivec[7] = (high >> 24) % 8;
194: }
Things to note:
- ivec is 8 x 8 = 64 bits
- block_num is assumed to be 64 bits
- Each byte of ivec is being assigned a value modulo 8 (i.e. 3 bits wide),
rather than a value modulo 256.
- The variables "high" and "low" are each assigned modulo 2**16-1 instead
of modulo 2**32 (or even modulo 2**16, which would be equivalent to
taking the lowest 4 bits of "upper" and "ref", respectively).
As far as I can tell, make_ivec is intended to serialize the 64-bit dar
block number ("ref") in a platform-independent way. If it did that, it
would still be violating the NIST SP 800-38A requirement that "for the CBC
and CFB modes, the IV for any particular execution of the encryption
process must be unpredictable". However, make_ivec actually *discards*
most of the bits of the block number, resulting in guaranteed IV collisions
at least every 8 'dar blocks' and a maximum effective IV length of slightly
less than 12 bits.
Using the default block size of 10240 bytes (as recommended by the dar
manual page), this translates into an IV collision every 81920 bytes, and
an IV space of less than 4096 possible values.
The result is a severely weakened implementation of Blowfish-CBC.
What make_ivec should probably do is (as recommended by NIST SP 800-38A,
Appendix C) to generate the initialization vectors encrypt the 64-bit block
number using blowfish and the same key that is used to encrypt the data
blocks.
NIST SP 800-38A can be found at:
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages dar depends on:
ii libattr1 1:2.4.32-1.1 Extended attribute shared library
ii libbz2-1.0 1.0.3-6 high-quality block-sorting file co
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libdar64-4 2.3.2-1 Disk ARchive: Shared library
ii libgcc1 1:4.1.1-21 GCC support library
ii libssl0.9.8 0.9.8e-4 SSL shared libraries
ii libstdc++6 4.1.1-21 The GNU Standard C++ Library v3
ii zlib1g 1:1.2.3-13 compression library - runtime
dar recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@snoopy.debian.net>: Bug#425335; Package dar.
(full text, mbox, link).
Acknowledgement sent to "Dwayne C. Litzenberger" <dlitz@dlitz.net>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@snoopy.debian.net>.
(full text, mbox, link).
package dar
tags 425335 + patch
thanks
Hello again!
I have attached a set of patches that improve the security of dar's
blowfish encryption, which is currently vulnerable to watermarking attacks.
The new code adds support for a new "blowfish2" cipher mode (which it also
makes the default), and emits a warning when a user creates an archive
using the legacy "blowfish" mode.
The original "blowfish" mode has the following weaknesses:
1. The password is used directly as keying material.
2. The 10240-byte sectors are individually encrypted using initialization
vectors that are both predictable and frequently repeating. This gives
an attacker a lot of information.
The new "blowfish2" mode addresses these weaknesses by doing the following:
1. It derives the key from the password using the algorithm specified in
PKCS#5[1].
2. It uses the ESSIV algorithm to generate initialization vectors[2] that
will be unpredictable to anyone who doesn't have the archive password.
The patch also makes the following miscellaneous changes:
- Adds support for bitwise operators & | ^ &= |= ^= to the "infinint"
type.
- Clarifies the code that implements the legacy make_ivec algorithm.
- Adds a small self-test when running in blowfish2 mode.
Separate patch files that apply against dar 2.3.2, 2.3.3, and today's CVS
are included.
Cheers,
- Dwayne
Footnotes:
[1] Specifically, using the password-based key derivation function (PBKDF2)
as described in RSA PKCS#5 v2.0. The attached code uses an empty salt,
2000 iterations, and HMAC-SHA1 as the underlying pseudorandom function.
Note that although we're using HMAC-SHA1, it's only used for generating the
Blowfish key; The new code still does not provide any strong integrity
guarantees.
[2] ESSIV is also used in the LUKS harddisk encryption software. It was
designed by Clemens Fruhwirth to provide security against a watermarking
attack.
Tags added: patch
Request was from "Dwayne C. Litzenberger" <dlitz@dlitz.net>
to control@bugs.debian.org.
(Fri, 25 May 2007 02:30:10 GMT) (full text, mbox, link).
Source: dar
Source-Version: 2.3.3-1
We believe that the bug you reported is fixed in the latest version of
dar, which is due to be installed in the Debian FTP archive:
dar-docs_2.3.3-1_all.deb
to pool/main/d/dar/dar-docs_2.3.3-1_all.deb
dar-static_2.3.3-1_i386.deb
to pool/main/d/dar/dar-static_2.3.3-1_i386.deb
dar_2.3.3-1.diff.gz
to pool/main/d/dar/dar_2.3.3-1.diff.gz
dar_2.3.3-1.dsc
to pool/main/d/dar/dar_2.3.3-1.dsc
dar_2.3.3-1_i386.deb
to pool/main/d/dar/dar_2.3.3-1_i386.deb
dar_2.3.3.orig.tar.gz
to pool/main/d/dar/dar_2.3.3.orig.tar.gz
libdar-dev_2.3.3-1_i386.deb
to pool/main/d/dar/libdar-dev_2.3.3-1_i386.deb
libdar64-4_2.3.3-1_i386.deb
to pool/main/d/dar/libdar64-4_2.3.3-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 425335@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brian May <bam@snoopy.debian.net> (supplier of updated dar package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 4 Jun 2007 10:06:17 +1000
Source: dar
Binary: dar-static libdar-dev dar libdar64-4 dar-docs
Architecture: source i386 all
Version: 2.3.3-1
Distribution: unstable
Urgency: low
Maintainer: Brian May <bam@snoopy.debian.net>
Changed-By: Brian May <bam@snoopy.debian.net>
Description:
dar - Disk ARchive: Backup directory tree and files
dar-docs - Disk ARchive: Backup directory tree and files
dar-static - Disk ARchive: Backup directory tree and files
libdar-dev - Disk ARchive: Development files for shared library
libdar64-4 - Disk ARchive: Shared library
Closes: 425335425824
Changes:
dar (2.3.3-1) unstable; urgency=low
.
* New upstream version.
* Fix bugs with hard links, closes: 425824.
* Apply patch to increase security of blowfish2 cipher, closes: 425335.
Files:
9808ef061da214f889f0c334ba628342 679 utils optional dar_2.3.3-1.dsc
30b2e488f11e1ab60510fa198de23791 1179147 utils optional dar_2.3.3.orig.tar.gz
07a5cb55bdc2f20da5ec8722b607d77e 8731 utils optional dar_2.3.3-1.diff.gz
2210a51128cb5ab889276451b4d8d162 827440 doc optional dar-docs_2.3.3-1_all.deb
3dfc9ff7412874287b19575a3f88c868 943130 devel optional libdar-dev_2.3.3-1_i386.deb
601c42d1fe16a6d97780d346ea8160c8 540834 libs optional libdar64-4_2.3.3-1_i386.deb
b5bc8e4fd53837de1b1a11d4f8d629e0 1232112 utils optional dar-static_2.3.3-1_i386.deb
bc5b2739c20765c69f1c849cdde9a1b1 299320 utils optional dar_2.3.3-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGY2TluCinHABTDCQRAmzuAJ9fVZsrDaSB8aspoF6a5MlZ0BiBbwCePnZy
ArMH1GsgMdxu2NUMI10XkbE=
=GgmX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 13 Jul 2007 07:42:45 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.