Fixed IV used in Xtrabackup encryption

Bug #1185343 reported by Raghavendra D Prabhu on 2013-05-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona XtraBackup
High
George Ormond Lorch III
2.1
High
George Ormond Lorch III
2.2
High
George Ormond Lorch III
percona-xtrabackup (Ubuntu)
High
Unassigned
Saucy
High
Unassigned
Trusty
High
Unassigned

Bug Description

Currently a fixed IV (constant string) is used while encrypting the data. This
opens the encrypted stream/data to plaintext attacks among
others.

Also, we use a CTR mode - GCRY_CIPHER_MODE_CTR - which has
stringent requirements on its IV - http://crypto.stackexchange.com/questions/1849/why-not-use-ctr-with-a-randomized-iv

So, we should either use CBC with a random IV (but its encryption
is not parallelizable, only decryption is) or CTR with a strong
IV.

Even just CTR with a random IV should be fine since - " With counter
mode, the rule is that you cannot reuse the same IV with the same key.
However, it is perfectly fine to use the same IV with different keys"

So, assuming we generate a random IV we should add either

a) Have it provided as a parameter in the stream (so other side
knows to decrypt it).

b) Without stream, put it in one of xtrabackup metadata files to
decrypt later.

Tags: pxc Edit Tag help

Related branches

lp:~gl-az/percona-xtrabackup/BT23557-bug1185343-2.1
Merged into lp:percona-xtrabackup/2.1 at revision 683
Alexey Kopytov (community): Approve on 2013-10-26
lp:~gl-az/percona-xtrabackup/BT23557-bug1185343-2.2
Merged into lp:percona-xtrabackup/2.2 at revision 4881
Alexey Kopytov (community): Approve on 2013-10-26

CVE References

Regarding

>So, assuming we generate a random IV we should add either
>
>a) Have it provided as a parameter in the stream (so other side
>knows to decrypt it).
>
>b) Without stream, put it in one of xtrabackup metadata files to
>decrypt later.

This won't be required. The salt needs to be prepended (separated
by a delimiter) to the
encrypted stream/text (in case of text, in the beginning of the
file). This convention is used elsewhere as well - crypt(3),
openssh etc.

tags: added: pxc
Sergei Golubchik (sergii) wrote :

FYI it's CVE-2013-6394

And note this: http://www.openwall.com/lists/oss-security/2013/11/26/13

George Ormond Lorch III (gl-az) wrote :

Sergei, thanks for the report. While researching for another feature we discovered the libgcrypt already has randomization functions built in for generating proper IVs and were already planning an changing over to those calls instead.

Reported as new bug 1255300

James Page (james-page) on 2014-01-06
Changed in percona-xtrabackup (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in percona-xtrabackup (Ubuntu Saucy):
importance: Undecided → High
status: New → Triaged
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in percona-xtrabackup (Ubuntu Saucy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers