--- Begin Message ---
Hi,
Please explain to me why you think that the salt must be the same length as
the cipher key. It seems to me that the situation is exactly analogous to
Unix crypt() in which the key is 8 characters long and the salt is 2
characters--the salt is there only to thwart a dictionary-based attack; the
security comes from the length of the key.
Perhaps you are worried because this seems analogous to the IV length bug
fixed in the last release. I think that using an 8 byte salt with a 16-byte
cipher is not analogous to using an 8 byte IV for a 16 byte cipher. In the
former example, the randomization from the salt is spread throughout the
entire generated key and IV, and the security comes from the number of bits
of data in the whole passphrase. In the latter case, the latter 8 bytes of
the data are being encrypted using a constant IV of 0x00000000, reducing half
of the ciphertext to a weak ECB (dictionary-attack-vulnerable) cipher.
If you apply the suggested patch, then Crypt::CBC will be unable to
interoperate with OpenSSL, which uses 8 byte salts for block ciphers of all
sizes. I am Cc'ing Ben Laurie on this so that he can weigh in before you make
any decisions.
Lincoln
On Thursday 16 March 2006 22:07, Gustavo Franco wrote:
> Hi Lincoln,
>
> Allard and I, working on a security patch for Debian Sarge found out
> that the latest Crypt::CBC still has a problem.
>
> You can read Allard' report, with a patch attached and a test tool at:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=357363
>
> I would like to hear your feedback on the changes before patching
> the Debian package in our development branch.
>
> Thanks in advance,
> Gustavo Franco - <stratus@debian.org>
--
Lincoln D. Stein
Cold Spring Harbor Laboratory
1 Bungtown Road
Cold Spring Harbor, NY 11724
FOR URGENT MESSAGES & SCHEDULING,
PLEASE CONTACT MY ASSISTANT,
SANDRA MICHELSEN, AT michelse@cshl.edu (516 367-5008)
--- End Message ---