Fixed IV used in Xtrabackup encryption

Reported by Raghavendra D Prabhu on 2013-05-29
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona XtraBackup
Status tracked in 2.2
2.1
High
George Ormond Lorch III
2.2
High
George Ormond Lorch III
percona-xtrabackup (Ubuntu)
Status tracked in Trusty
Saucy
High
Unassigned
Trusty
High
Unassigned

Bug Description

Currently a fixed IV (constant string) is used while encrypting the data. This
opens the encrypted stream/data to plaintext attacks among
others.

Also, we use a CTR mode - GCRY_CIPHER_MODE_CTR - which has
stringent requirements on its IV - http://crypto.stackexchange.com/questions/1849/why-not-use-ctr-with-a-randomized-iv

So, we should either use CBC with a random IV (but its encryption
is not parallelizable, only decryption is) or CTR with a strong
IV.

Even just CTR with a random IV should be fine since - " With counter
mode, the rule is that you cannot reuse the same IV with the same key.
However, it is perfectly fine to use the same IV with different keys"

So, assuming we generate a random IV we should add either

a) Have it provided as a parameter in the stream (so other side
knows to decrypt it).

b) Without stream, put it in one of xtrabackup metadata files to
decrypt later.

Tags: pxc Edit Tag help

Regarding

>So, assuming we generate a random IV we should add either
>
>a) Have it provided as a parameter in the stream (so other side
>knows to decrypt it).
>
>b) Without stream, put it in one of xtrabackup metadata files to
>decrypt later.

This won't be required. The salt needs to be prepended (separated
by a delimiter) to the
encrypted stream/text (in case of text, in the beginning of the
file). This convention is used elsewhere as well - crypt(3),
openssh etc.

tags: added: pxc
Sergei (sergii) wrote :

FYI it's CVE-2013-6394

And note this: http://www.openwall.com/lists/oss-security/2013/11/26/13

George Ormond Lorch III (gl-az) wrote :

Sergei, thanks for the report. While researching for another feature we discovered the libgcrypt already has randomization functions built in for generating proper IVs and were already planning an changing over to those calls instead.

Reported as new bug 1255300

James Page (james-page) on 2014-01-06
Changed in percona-xtrabackup (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → High
Changed in percona-xtrabackup (Ubuntu Saucy):
importance: Undecided → High
status: New → Triaged
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers