HMAC2 including modulo?

Discussion related to AES Crypt, the file encryption software for Windows, Linux, Mac, and Java.
Post Reply
philios33
Posts: 4
Joined: Fri Dec 05, 2014 12:27 am
Contact:

HMAC2 including modulo?

Post by philios33 » Thu Jun 11, 2015 7:23 pm

Hi Paul

I noticed that my PHP implementation only seems to be compatible with the application when I dont include the file size modulo in the second HMAC. An attacker could modify the byte at address (file size - 33) and cause up to an extra 15 bytes of truncation without the integrity being compromised. Bad implementations which dont check the modulo byte is less than 16 could be affected worse if they blindly strip that amount of data from the end. From what I can see, all other important data is included in one of the HMACs except for that one byte which is a bit annoying.

Thanks

Phil

User avatar
paulej
Posts: 521
Joined: Sun Aug 23, 2009 7:32 pm
Location: Research Triangle Park, NC, USA
Contact:

Re: HMAC2 including modulo?

Post by paulej » Fri Jun 12, 2015 3:18 am

Phil,

Yes, sadly this is a bug. It does not compromise security, but you're right that someone could damage data.

It was intended to be included in the HMAC computation, which is why the file format is ordered as it is. But, I screwed up and AES Crypt was in the wild before I discovered the mistake. Fixing it would mean breaking backward compatibility (at least to some degree).

I've been thinking of how to address the issue -- which is definitely planned for v4 of the file format (which has been planned for a few years ... not moving fast) -- is to move away from using a modulo to something else, such as ciphertext stealing. I'd like something even better than what we have today.

In any case, yes... this issue exists.

Paul

Post Reply