Debian Bug report logs - #425335
dar: blowfish encryption weakened by frequent IV collisions

version graph

Package: dar; Maintainer for dar is Brian May <bam@debian.org>; Source for dar is src:dar.

Reported by: "Dwayne C. Litzenberger" <dlitz@dlitz.net>

Date: Mon, 21 May 2007 00:06:02 UTC

Severity: important

Tags: patch, security

Found in version dar/2.3.2-1

Fixed in version dar/2.3.3-1

Done: Brian May <bam@snoopy.debian.net>

Bug is archived. No further changes may be made.

Forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1730439&group_id=65612&atid=511612

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, dlitz@dlitz.net, dar.linux@free.fr, Debian Security Team <team@security.debian.org>, Brian May <bam@snoopy.debian.net>:
Bug#425335; Package dar. Full text and rfc822 format available.

Acknowledgement sent to "Dwayne C. Litzenberger" <dlitz@dlitz.net>:
New Bug report received and forwarded. Copy sent to dlitz@dlitz.net, dar.linux@free.fr, Debian Security Team <team@security.debian.org>, Brian May <bam@snoopy.debian.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Dwayne C. Litzenberger" <dlitz@dlitz.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dar: blowfish encryption weakened by frequent IV collisions
Date: Sun, 20 May 2007 18:03:11 -0600
Package: dar
Version: 2.3.2-1
Severity: important
Tags: security

I was looking through the crypto code in dar 2.3.2, and I found what I 
think is a weakness in the Blowfish encryption code that results in 
frequent initialization vector collisions.

Here is some background information from the dar(1) man page:

   -#, --crypto-block <size>
       
       to be able to randomly access data in an archive, it is not 
       encrypted globally but block by block. You can define the 
       encryption block size thanks to this argument which default to 
       10240 bytes. Note that syntax used for -s option is also available 
       here. Note also that crypto-block is stored as a 32 bits integer 
       thus value larger than 4GB will cause an error. Note last, that the 
       block size given here must be provided when reading this resulting 
       archive (through the -* or -# options). If it is not the correct 
       one, the archive will not be possible to decrypt, it is thus safe 
       to keep the default value (and not use at all the -# option).

The offending code is in dar-2.3.2/src/libdar/crypto.cpp (lines 178-194):

178: void blowfish::make_ivec(const infinint & ref, unsigned char ivec[8])
179: {
180:     infinint upper = ref >> 32;
181:     U_32 high = 0, low = 0;
182:
183:     high = upper % (U_32)(0xFFFF); // for bytes (high weight)
184:     low = ref % (U_32)(0xFFFF); // for bytes (lowest weight)
185:
186:     ivec[0] = low % 8;
187:     ivec[1] = (low >> 8) % 8;
188:     ivec[2] = (low >> 16) % 8;
189:     ivec[3] = (low >> 24) % 8;
190:     ivec[4] = high % 8;
191:     ivec[5] = (high >> 8) % 8;
192:     ivec[6] = (high >> 16) % 8;
193:     ivec[7] = (high >> 24) % 8;
194: }

Things to note:
- ivec is 8 x 8 = 64 bits
- block_num is assumed to be 64 bits
- Each byte of ivec is being assigned a value modulo 8 (i.e. 3 bits wide), 
  rather than a value modulo 256.
- The variables "high" and "low" are each assigned modulo 2**16-1 instead 
  of modulo 2**32 (or even modulo 2**16, which would be equivalent to 
  taking the lowest 4 bits of "upper" and "ref", respectively).

As far as I can tell, make_ivec is intended to serialize the 64-bit dar 
block number ("ref") in a platform-independent way.  If it did that, it 
would still be violating the NIST SP 800-38A requirement that "for the CBC 
and CFB modes, the IV for any particular execution of the encryption 
process must be unpredictable".  However, make_ivec actually *discards* 
most of the bits of the block number, resulting in guaranteed IV collisions 
at least every 8 'dar blocks' and a maximum effective IV length of slightly 
less than 12 bits.

Using the default block size of 10240 bytes (as recommended by the dar 
manual page), this translates into an IV collision every 81920 bytes, and 
an IV space of less than 4096 possible values.

The result is a severely weakened implementation of Blowfish-CBC.

What make_ivec should probably do is (as recommended by NIST SP 800-38A, 
Appendix C) to generate the initialization vectors encrypt the 64-bit block 
number using blowfish and the same key that is used to encrypt the data 
blocks.

NIST SP 800-38A can be found at: 
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf

-- System Information:
Debian Release: lenny/sid
 APT prefers testing
 APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-686 (SMP w/1 CPU core)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages dar depends on:
ii  libattr1                    1:2.4.32-1.1 Extended attribute shared library
ii  libbz2-1.0                  1.0.3-6      high-quality block-sorting file co
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries
ii  libdar64-4                  2.3.2-1      Disk ARchive: Shared library
ii  libgcc1                     1:4.1.1-21   GCC support library
ii  libssl0.9.8                 0.9.8e-4     SSL shared libraries
ii  libstdc++6                  4.1.1-21     The GNU Standard C++ Library v3
ii  zlib1g                      1:1.2.3-13   compression library - runtime

dar recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@snoopy.debian.net>:
Bug#425335; Package dar. Full text and rfc822 format available.

Acknowledgement sent to "Dwayne C. Litzenberger" <dlitz@dlitz.net>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@snoopy.debian.net>. Full text and rfc822 format available.

Message #10 received at 425335@bugs.debian.org (full text, mbox):

From: "Dwayne C. Litzenberger" <dlitz@dlitz.net>
To: 425335@bugs.debian.org
Cc: dar.linux@free.fr, Debian Security Team <team@security.debian.org>, control@bugs.debian.org
Subject: Re: Bug#425335: dar: blowfish encryption weakened by frequent IV collisions
Date: Thu, 24 May 2007 20:22:49 -0600
[Message part 1 (text/plain, inline)]
package dar
tags 425335 + patch
thanks

Hello again!

I have attached a set of patches that improve the security of dar's 
blowfish encryption, which is currently vulnerable to watermarking attacks.

The new code adds support for a new "blowfish2" cipher mode (which it also 
makes the default), and emits a warning when a user creates an archive 
using the legacy "blowfish" mode.

The original "blowfish" mode has the following weaknesses:
1. The password is used directly as keying material.
2. The 10240-byte sectors are individually encrypted using initialization 
   vectors that are both predictable and frequently repeating.  This gives 
   an attacker a lot of information.

The new "blowfish2" mode addresses these weaknesses by doing the following:
1. It derives the key from the password using the algorithm specified in 
   PKCS#5[1].
2. It uses the ESSIV algorithm to generate initialization vectors[2] that 
   will be unpredictable to anyone who doesn't have the archive password.

The patch also makes the following miscellaneous changes:
- Adds support for bitwise operators & | ^ &= |= ^= to the "infinint" 
  type.
- Clarifies the code that implements the legacy make_ivec algorithm.
- Adds a small self-test when running in blowfish2 mode.

Separate patch files that apply against dar 2.3.2, 2.3.3, and today's CVS 
are included.

Cheers,
- Dwayne

Footnotes:

[1] Specifically, using the password-based key derivation function (PBKDF2) 
as described in RSA PKCS#5 v2.0.  The attached code uses an empty salt, 
2000 iterations, and HMAC-SHA1 as the underlying pseudorandom function.  
Note that although we're using HMAC-SHA1, it's only used for generating the 
Blowfish key; The new code still does not provide any strong integrity 
guarantees.

[2] ESSIV is also used in the LUKS harddisk encryption software.  It was 
designed by Clemens Fruhwirth to provide security against a watermarking 
attack.


[patch-dar-blowfish2_for_2.3.2.txt (text/plain, attachment)]
[patch-dar-blowfish2_for_2.3.3.txt (text/plain, attachment)]
[patch-dar-blowfish2_for_cvs.txt (text/plain, attachment)]

Tags added: patch Request was from "Dwayne C. Litzenberger" <dlitz@dlitz.net> to control@bugs.debian.org. (Fri, 25 May 2007 02:30:10 GMT) Full text and rfc822 format available.

Noted your statement that Bug has been forwarded to http://sourceforge.net/tracker/index.php?func=detail&aid=1730439&group_id=65612&atid=511612. Request was from Brian May <bam@snoopy.debian.net> to control@bugs.debian.org. (Mon, 04 Jun 2007 01:00:01 GMT) Full text and rfc822 format available.

Reply sent to Brian May <bam@snoopy.debian.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Dwayne C. Litzenberger" <dlitz@dlitz.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #19 received at 425335-close@bugs.debian.org (full text, mbox):

From: Brian May <bam@snoopy.debian.net>
To: 425335-close@bugs.debian.org
Subject: Bug#425335: fixed in dar 2.3.3-1
Date: Mon, 04 Jun 2007 01:17:03 +0000
Source: dar
Source-Version: 2.3.3-1

We believe that the bug you reported is fixed in the latest version of
dar, which is due to be installed in the Debian FTP archive:

dar-docs_2.3.3-1_all.deb
  to pool/main/d/dar/dar-docs_2.3.3-1_all.deb
dar-static_2.3.3-1_i386.deb
  to pool/main/d/dar/dar-static_2.3.3-1_i386.deb
dar_2.3.3-1.diff.gz
  to pool/main/d/dar/dar_2.3.3-1.diff.gz
dar_2.3.3-1.dsc
  to pool/main/d/dar/dar_2.3.3-1.dsc
dar_2.3.3-1_i386.deb
  to pool/main/d/dar/dar_2.3.3-1_i386.deb
dar_2.3.3.orig.tar.gz
  to pool/main/d/dar/dar_2.3.3.orig.tar.gz
libdar-dev_2.3.3-1_i386.deb
  to pool/main/d/dar/libdar-dev_2.3.3-1_i386.deb
libdar64-4_2.3.3-1_i386.deb
  to pool/main/d/dar/libdar64-4_2.3.3-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 425335@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian May <bam@snoopy.debian.net> (supplier of updated dar package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  4 Jun 2007 10:06:17 +1000
Source: dar
Binary: dar-static libdar-dev dar libdar64-4 dar-docs
Architecture: source i386 all
Version: 2.3.3-1
Distribution: unstable
Urgency: low
Maintainer: Brian May <bam@snoopy.debian.net>
Changed-By: Brian May <bam@snoopy.debian.net>
Description: 
 dar        - Disk ARchive: Backup directory tree and files
 dar-docs   - Disk ARchive: Backup directory tree and files
 dar-static - Disk ARchive: Backup directory tree and files
 libdar-dev - Disk ARchive: Development files for shared library
 libdar64-4 - Disk ARchive: Shared library
Closes: 425335 425824
Changes: 
 dar (2.3.3-1) unstable; urgency=low
 .
   * New upstream version.
   * Fix bugs with hard links, closes: 425824.
   * Apply patch to increase security of blowfish2 cipher, closes: 425335.
Files: 
 9808ef061da214f889f0c334ba628342 679 utils optional dar_2.3.3-1.dsc
 30b2e488f11e1ab60510fa198de23791 1179147 utils optional dar_2.3.3.orig.tar.gz
 07a5cb55bdc2f20da5ec8722b607d77e 8731 utils optional dar_2.3.3-1.diff.gz
 2210a51128cb5ab889276451b4d8d162 827440 doc optional dar-docs_2.3.3-1_all.deb
 3dfc9ff7412874287b19575a3f88c868 943130 devel optional libdar-dev_2.3.3-1_i386.deb
 601c42d1fe16a6d97780d346ea8160c8 540834 libs optional libdar64-4_2.3.3-1_i386.deb
 b5bc8e4fd53837de1b1a11d4f8d629e0 1232112 utils optional dar-static_2.3.3-1_i386.deb
 bc5b2739c20765c69f1c849cdde9a1b1 299320 utils optional dar_2.3.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGY2TluCinHABTDCQRAmzuAJ9fVZsrDaSB8aspoF6a5MlZ0BiBbwCePnZy
ArMH1GsgMdxu2NUMI10XkbE=
=GgmX
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 13 Jul 2007 07:42:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:02:47 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.