Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAKws9z2psDS2P25SOykpaR0QUiMZd1Pe1q4Q3ia_YyXXh-ptGQ@mail.gmail.com>
Date: Sat, 16 Jan 2016 03:15:53 -0500
From: Scott Arciszewski <scott@...agonie.com>
To: oss-security@...ts.openwall.com, fulldisclosure@...lists.org
Subject: It essentially wins crypto vulnerability bingo! gilfether/phpcrypt

Consider this email the spiritual successor to my most recent post on Full
Disclosure (http://seclists.org/fulldisclosure/2016/Jan/50).

Today, we're going to talk about this library:
https://github.com/gilfether/phpcrypt/issues/6

Let's go down the list:

- [x] Wrote their own block cipher implementation
- [x] ...in PHP...
- [x] ...and forgot to account for function overloading!
- [x] Chosen-ciphertext attacks (The existence for which is almost implied
by "PHP crypto". Almost.)
- [x] Defaults to a weak random number generator (32 bits of entropy is
enough for AES right?)
- [x] Defaults to ECB mode (https://blog.filippo.io/the-ecb-penguin/)
- [x] Offers a laundry list of ciphers available, some of which are stupid
- [x] ...like SimpleXOR (remember JCrypt?), Vigenere, and Enigma!

Yep, this is almost as bad as it gets. I've attempted to notify everyone on
Github who used this library, but there might be some people who do that
aren't on Github. Please spread the word: migrate away from homebrew PHP
cryptography.

Like most "pure PHP" cryptography projects, this code is pure security
theater. There is no salvaging it.

For PHP developers who would otherwise be left out in the rain by this
disclosure, here are some PHP cryptography libraries that do it right:

1. https://github.com/jedisct1/libsodium-php (HIGHLY recommended!)
​2​
. https://github.com/defuse/php-encryption (recommended!)
3. https://github.com/paragonie/halite (requires #1)
4. https://github.com/paragonie/EasyRSA (reluctantly included for people
that really believe they need RSA)

(Details:
https://paragonie.com/blog/2015/11/choosing-right-cryptography-library-for-your-php-project-guide
)

Seriously, folks: Writing cryptography primitives or protocols is hazardous
in any language. Even if you have a mathematics background.

If you can't afford to hire a cryptography expert to audit your library
before you publish it, you should seriously consider using one that the
community has already reviewed for free.

Scott Arciszewski
Chief Development Officer
Paragon Initiative Enterprises <https://paragonie.com>​

P.S. MITRE, if you're not busy, could you slap a CVE on the issues? This
library actually gets a fair bit of use (though hopefully not for long).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.