Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

key_helpers.DecryptPayload vulnerability: missing IV check #1

Open
yoursunny opened this issue Jun 13, 2023 · 2 comments
Open

key_helpers.DecryptPayload vulnerability: missing IV check #1

yoursunny opened this issue Jun 13, 2023 · 2 comments

Comments

@yoursunny
Copy link

NDNCERT protocol requires the recipient of encrypted messages to check the uniqueness of the initialization-vector field, which is essential for the security of the AES-GCM crypto.
However, key_helpers.DecryptPayload has not properly implemented this check.

go-ndncert/key_helpers/aes.go

Lines 87 to 110 in ca9e50f

func DecryptPayload(key [16]byte, message EncryptedMessage, requestId [8]uint8, previousBlockCounter *uint32) ([]byte, CryptoStatus) {
block, cipherErr := aes.NewCipher(key[:])
if cipherErr != nil {
return nil, CryptoStatusError
}
nonce := message.InitializationVector[:]
aesgcm, encryptErr := cipher.NewGCM(block)
if encryptErr != nil {
return nil, CryptoStatusError
}
ciphertext := append(message.EncryptedPayload, message.AuthenticationTag[:]...)
plaintext, _ := aesgcm.Open(nil, nonce, ciphertext, requestId[:])
//plaintextBlocks := uint32(math.Ceil(float64(float32(len(plaintext)) / float32(TagSizeBytes))))
//if err != nil {
// return nil, CryptoStatusError
//}
//if *previousBlockCounter = *previousBlockCounter + plaintextBlocks; *previousBlockCounter != binary.BigEndian.Uint32(message.InitializationVector[RandomSizeBytes:]) {
// return nil, CryptoStatusInvalidCounter
//}
return plaintext, CryptoStatusOk
}

This NDNCERT implementation must not be used until the required check is implemented.
@zjkmxy zjkmxy self-assigned this Jun 14, 2023
@zjkmxy
Copy link
Contributor

zjkmxy commented Jul 1, 2023

There are actually bigger issues:

  • CA/INFO is signed by SHA256

    go-ndncert/ndncert/server/ca.go

    Lines 60 to 69 in ca9e50f

    "type": "Sha256Signer",
    "path": "/32=metadata/<v=versionNumber>/seg=0"
    },
    {
    "type": "Sha256Signer",
    "path": "/32=metadata"
    },
    {
    "type": "Sha256Signer",
    "path": "/<v=versionNumber>/<seg=segmentNumber>"
  • The server uses a different self-signed certificate every time it starts up, and does not store the certificate anywhere

    go-ndncert/main/server/main.go

    Line 48 in ca9e50f

    certKey, certKeyError := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
  • The client does not accept a trust anchor as input, and it does not check the CA's certificate returned in the PROBE step is properly signed by the test bed's trust anchor.

    go-ndncert/main/client/main.go

    Lines 61 to 68 in ca9e50f

    certKeyBits, _, certKeyBitsError := spec_2022.Spec{}.ReadData(enc.NewBufferReader(caInfoResult.CaCertificate))
    if certKeyBitsError != nil {
    logger.Fatal("Failed to parse certificate key bits data")
    }
    caPublicIdentityKey, parseCertificatePublicKeyError := key_helpers.ParsePublicKey(certKeyBits.Content().Join())
    if parseCertificatePublicKeyError != nil {
    logger.Fatalf("Failed to parse certificate public key from CA INFO: %+v", parseCertificatePublicKeyError)
    }

Given it is hard to fix all these issues, let me delay the fixing for now.

@zjkmxy zjkmxy removed their assignment Jul 1, 2023
@yoursunny
Copy link
Author

Then you should retract the release on pkg.go.dev and put a warning in README.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yoursunny @zjkmxy