r3211 - in /packages/libcrypt-cbc-perl/branches/upstream/current: CBC.pm Crypt::CBC-2.16-vulnerability.txt MANIFEST META.yml README README.compatibility

gregoa-guest at users.alioth.debian.org gregoa-guest at users.alioth.debian.org
Sun Jul 2 15:12:52 UTC 2006 

Author: gregoa-guest
Date: Sun Jul  2 15:12:52 2006
New Revision: 3211

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=3211
Log:
Load /tmp/tmp.KJmEy28039/libcrypt-cbc-perl-2.18 into
packages/libcrypt-cbc-perl/branches/upstream/current.

Added:
    packages/libcrypt-cbc-perl/branches/upstream/current/Crypt::CBC-2.16-vulnerability.txt
    packages/libcrypt-cbc-perl/branches/upstream/current/README.compatibility
Modified:
    packages/libcrypt-cbc-perl/branches/upstream/current/CBC.pm
    packages/libcrypt-cbc-perl/branches/upstream/current/MANIFEST
    packages/libcrypt-cbc-perl/branches/upstream/current/META.yml
    packages/libcrypt-cbc-perl/branches/upstream/current/README

Modified: packages/libcrypt-cbc-perl/branches/upstream/current/CBC.pm
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/CBC.pm?rev=3211&op=diff
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/CBC.pm (original)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/CBC.pm Sun Jul  2 15:12:52 2006
@@ -4,7 +4,7 @@
 use Carp;
 use strict;
 use vars qw($VERSION);
-$VERSION = '2.17';
+$VERSION = '2.18';
 
 use constant RANDOM_DEVICE => '/dev/urandom';
 

Added: packages/libcrypt-cbc-perl/branches/upstream/current/Crypt::CBC-2.16-vulnerability.txt
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/Crypt%3A%3ACBC-2.16-vulnerability.txt?rev=3211&op=file
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/Crypt::CBC-2.16-vulnerability.txt (added)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/Crypt::CBC-2.16-vulnerability.txt Sun Jul  2 15:12:52 2006
@@ -1,0 +1,119 @@
+Perl Module Security Advisory
+
+-------------------------------------------------------------------------------
+   Title: Crypt::CBC ciphertext weakness when using certain block algorithms
+Severity: High
+Versions: All versions <= 2.16.
+    Date: 16 February 2006
+-------------------------------------------------------------------------------
+
+Synopsis
+--------
+
+The Perl Crypt::CBC module versions through 2.16 produce weak
+ciphertext when used with block encryption algorithms with blocksize >
+8 bytes.
+
+Background
+----------
+
+Crypt::CBC implements the Cipher Block Chaining Mode (CBC) [1].  CBC
+allows block ciphers (which encrypt and decrypt chunks of data of a
+fixed block length) to act as though they are stream ciphers capable
+of encrypting and decrypting arbitrary length streams. It does this by
+randomly generating an initialization vector (IV) the same length as
+the cipher's block size. This IV is logically XORed with the first
+block of plaintext prior to encryption. The block is encrypted, and
+the result is used as the IV applied to the next block of plaintext.
+This process is repeated for each block of plaintext.
+
+In order for ciphertext encrypted by Crypt::CBC to be decrypted, the
+receiver must know both the key used to encrypt the data stream and
+the IV that was chosen. Because the IV is not secret, it can safely be
+appended to the encrypted message. The key, of course, is kept in a
+safe place and transmitted to the recipient by some secure means.
+
+Crypt::CBC can generate two types of headers for transmitting the
+IV. The older, deprecated, header type is known as the "RandomIV"
+header, and consists of the 8 byte string "RandomIV" followed by 8
+bytes of IV data. This is the default header generated by Crypt::CBC
+versions through 2.16. The newer, recommended, type of header is known
+as the "Salted" header and consists of the 8 byte string "Salted__"
+followed by an 8 byte salt value. The salt value is used to rederive
+both the encryption key and the IV from a long passphrase provided by
+the user. The Salted header was introduced in version 2.13 and is
+compatible with the CBC header generated by OpenSSL [2].
+
+
+Description
+-----------
+
+The RandomIV style header assumes that the IV will be exactly 8 bytes
+in length. However, the IV must be the same length as the underlying
+cipher's block size, and so this assumption is not correct when using
+ciphers whose block size is greater than 8 bytes. Of the ciphers
+commonly available to Perl developers, only the Rijndael algorithm,
+which uses a 16 byte block size is the primary cipher affected by this
+issue. Rijndael is the cipher that underlies the AES encryption
+standard.
+
+Impact
+------
+
+Ciphertext encrypted with Crypt::CBC using the legacy RandomIV header
+and the Rijndael cipher is not secure. The latter 8 bytes of each
+block are chained using a constant effective IV of null, meaning that
+the ciphertext will be prone to differential cryptanalysis,
+particularly if the same key was used to generate multiple encrypted
+messages. Other >8-byte cipher algorithms will be similarly affected.
+
+The difficulty of breaking data encrypted using this flawed algorithm
+is unknown, but it should be assumed that all information encrypted in
+this way has been, or could someday be, compromised.
+
+Exploits
+--------
+
+There are no active exploits known at this time.
+
+Workaround
+----------
+
+If using Crypt::CBC versions 2.16 and lower, pass the -salt=>1 option
+to Crypt::CBC->new(). This will generate and process IVs correctly for
+ciphers of all length.
+
+Resolution
+----------
+
+Upgrade to Crypt::CBC version 2.17 or higher. This module makes the
+Salted header the default behavior and refuses to encrypt or decrypt
+with non-8 byte block size ciphers when in legacy RandomIV mode.
+
+In order to decrypt ciphertext previously encrypted by pre-2.17
+versions of the software with Rijndael and other >8-byte algorithms,
+Crypt::CBC provides an -insecure_legacy_decrypt option that will allow
+such ciphertext to be decrypted. The default is to refuse to decrypt
+such data.
+
+The most recent version of Crypt::CBC can be downloaded from the
+Comprehensive Perl Archive Network (CPAN; http://www.cpan.org).
+
+Contact
+-------
+
+For further information about this issue, please contact the author of
+Crypt::CBC, Lincoln Stein <lstein at cshl.edu>.
+
+Acknowledgements
+----------------
+
+The author gratefully acknowledges the contribution of Ben
+Laurie<ben at algroup.co.uk>, who correctly identified the issue and
+suggested the resolution.
+
+References
+----------
+
+[1] http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
+[2] http://www.openssl.org/

Modified: packages/libcrypt-cbc-perl/branches/upstream/current/MANIFEST
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/MANIFEST?rev=3211&op=diff
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/MANIFEST (original)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/MANIFEST Sun Jul  2 15:12:52 2006
@@ -4,6 +4,8 @@
 META.yml			Module meta-data (added by MakeMaker)
 Makefile.PL
 README
+README.compatibility
+Crypt::CBC-2.16-vulnerability.txt
 eg/aes.pl
 eg/des.pl
 eg/idea.pl

Modified: packages/libcrypt-cbc-perl/branches/upstream/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/META.yml?rev=3211&op=diff
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/META.yml (original)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/META.yml Sun Jul  2 15:12:52 2006
@@ -1,7 +1,7 @@
 # http://module-build.sourceforge.net/META-spec.html
 #XXXXXXX This is a prototype!!!  It will change in the future!!! XXXXX#
 name:         Crypt-CBC
-version:      2.17
+version:      2.18
 version_from: CBC.pm
 installdirs:  site
 requires:

Modified: packages/libcrypt-cbc-perl/branches/upstream/current/README
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/README?rev=3211&op=diff
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/README (original)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/README Sun Jul  2 15:12:52 2006
@@ -4,14 +4,10 @@
 messages of arbitrarily long length.  The encrypted messages are
 compatible with the encryption format used by B<SSLeay>.
 
-IMPORTANT NOTE: Versions of this module prior to 2.17 were incorrectly
-using 8 byte IVs when generating the old-style RandomIV style header
-(as opposed to the new-style random salt header). This affects the
-Rijndael algorithm, which has a 16 byte blocksize. The bug has been
-corrected in versions 2.17 and higher, but in order to read legacy
-encrypted data, you will have to pass the B<-legacy_iv> option to
-new() using a true value.
-
+WARNING: Crypt::CBC versions 2.17 and higher will not decrypt messages
+encrypted with versions 2.16 and lower unless you pass certain options
+to the new() call. This was done for very good reasons. Please see
+README.compatibility for details.
 
 Prerequisites
 -------------

Added: packages/libcrypt-cbc-perl/branches/upstream/current/README.compatibility
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libcrypt-cbc-perl/branches/upstream/current/README.compatibility?rev=3211&op=file
==============================================================================
--- packages/libcrypt-cbc-perl/branches/upstream/current/README.compatibility (added)
+++ packages/libcrypt-cbc-perl/branches/upstream/current/README.compatibility Sun Jul  2 15:12:52 2006
@@ -1,0 +1,44 @@
+Compatibility Notes
+-------------------
+
+Crypt::CBC version 2.17 and higher contains changes designed to make
+encrypted messages more secure. In particular, Crypt::CBC now works
+correctly with ciphers that use block sizes greater than 8 bytes,
+which includes Rijndael, the basis for the AES encryption system. It
+also interoperates seamlessly with the OpenSSL library. Unfortunately,
+these changes break compatibility with messages encrypted with
+versions 2.16 and lower.
+
+To successfully decrypt messages encrypted with Crypt::CBC 2.16 and
+lower, follow these steps:
+
+1) Pass Crypt::CBC->new() the option -header=>'randomiv'. Example:
+
+ my $cbc = Crypt::CBC->new(-key     => $key,
+                           -cipher  => 'Blowfish',
+			   -header  => 'randomiv');
+
+This tells Crypt::CBC to decrypt messages using the legacy "randomiv"
+style header rather than the default SSL-compatible "salt" style
+header.
+
+2) If the legacy messages were encrypted using Rijndael, also pass
+Crypt::CBC the -insecure_legacy_decrypt=>1 option:
+
+ my $cbc = Crypt::CBC->new(-key                     => $key,
+                           -cipher                  => 'Rijndael',
+			   -header                  => 'randomiv',
+                           -insecure_legacy_decrypt => 1 );
+
+
+This tells Crypt::CBC to allow you to decrypt Rijndael messages that
+were incorrectly encrypted by pre-2.17 versions. It is important to
+realize that Rijndael messages encrypted by version 2.16 and lower
+*ARE NOT SECURE*. New versions of Crypt::CBC will refuse to encrypt
+Rijndael messages in a way that is backward compatible with 2.16 and
+lower.
+
+I apologize for any inconvenience this causes.
+
+Lincoln Stein
+Spring 2006

More information about the Pkg-perl-cvs-commits mailing list