Page 1 of 1

HMAC2 including modulo?

Posted: Thu Jun 11, 2015 7:23 pm
by philios33
Hi Paul

I noticed that my PHP implementation only seems to be compatible with the application when I dont include the file size modulo in the second HMAC. An attacker could modify the byte at address (file size - 33) and cause up to an extra 15 bytes of truncation without the integrity being compromised. Bad implementations which dont check the modulo byte is less than 16 could be affected worse if they blindly strip that amount of data from the end. From what I can see, all other important data is included in one of the HMACs except for that one byte which is a bit annoying.

Thanks

Phil

Re: HMAC2 including modulo?

Posted: Fri Jun 12, 2015 3:18 am
by paulej
Phil,

Yes, sadly this is a bug. It does not compromise security, but you're right that someone could damage data.

It was intended to be included in the HMAC computation, which is why the file format is ordered as it is. But, I screwed up and AES Crypt was in the wild before I discovered the mistake. Fixing it would mean breaking backward compatibility (at least to some degree).

I've been thinking of how to address the issue -- which is definitely planned for v4 of the file format (which has been planned for a few years ... not moving fast) -- is to move away from using a modulo to something else, such as ciphertext stealing. I'd like something even better than what we have today.

In any case, yes... this issue exists.

Paul