ECB encryption of passphrase

Bug #1480532 reported by Sylvain on 2015-08-01
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

To encrypt a passphrase, ecryptfs-utils uses AES 128-bit in ECB mode of operation. The passphrase is 16-byte (128-bit) long. The wrapping process encrypts the hexlified version of the passphrase which lies on 32 bytes (256 bits). It means two AES blocks will be process during the key wrapping. In the (unlikely) case were the passphrase has the upper 8-byte part equal to the lower 8-byte part then its wrapped version will also have the same property. If an adversary sees an encrypted key in the wrapped-passphrase file with the lower part equal the upper part he will now that he have only to bruteforce 8 bytes and not the full 16-byte key.

To convince yourself of this property you can execute:
printf "%s\n%s" "00112233445566770011223344556677" "wrapping" | ecryptfs-wrap-passphrase keyfile -

The resulting keyfile contains the wrapped passphrase with two identical blocks. I think it should either use CBC mode of operation for key wrapping or encryption of the raw version of the passphrase not the hexlified version. It is not a big issue but 2^64 keys have only 64-bit security with the current scheme.

CVE References

Tyler Hicks (tyhicks) wrote :

Hi Sylvain - Thanks for the bug report!

I agree that ECB mode is not idealt. It is on my todo list to migrate to a better wrapping scheme after I became familiar with the code while fixing CVE-2014-9687.

Changed in ecryptfs:
importance: Undecided → Medium
status: New → Confirmed
Sylvain (sylvain-pelissier) wrote :

Thanks for your answer. I am wondering if it is not better to make this bug public while it is still not corrected. What do you think ?

information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers