nippy

History

Peter Taoussanis 23276ac910 [#101 ] NB Change default encryption from AES-CBC to AES-GCM Why? - AES-GCM is faster and can be more secure, Ref. https://goo.gl/Dsc9mL, etc. - AES-GCM is an authenticated[1] encryption mechanism, providing automatic integrity checks. This is relevant to [#101]. What's the issue with #101? - We compress then encrypt on freeze ; Reverse would make compression useless - So we decrypt then decompress on thaw Attempting CBC decryption with the wrong password will often but not always throw. Meaning it's possible for decompression could be attempted with a junk ba. And this can cause some decompressors to fail in a destructive way, including large allocations (DDoS) or even taking down the JVM in extreme cases. Possible solutions? - We could add our own HMAC, etc. - And/or we could use something like AES-GCM which offers built-in integrity and will throw an AEADBadTagException on failure. There may indeed be reasons [2,3,4] to consider adding a custom HMAC - and that's still on the cards for later. But in the meantime, the overall balance of pros/cons seems to lean in the direction of choosing AES-GCM as a reasonable default. Note that the change in this commit is done in a backward-compatible way using Nippy's versioned header: new payloads will be written using AES-GCM by default. But old payloads already written using AES-CBC will continue to be read using that scheme. References [1] https://en.wikipedia.org/wiki/Authenticated_encryption [2] https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html [3] https://blog.cryptographyengineering.com/2011/12/04/matt-green-smackdown-watch-are-aead/ [4] HMAC vs AEAD integrity, https://crypto.stackexchange.com/q/24379 [5] AES-GCM vs HMAC-SHA256 integrity, https://crypto.stackexchange.com/q/30627	2019-01-06 14:13:34 +01:00
..
nippy/tests	[#101 ] NB Change default encryption from AES-CBC to AES-GCM	2019-01-06 14:13:34 +01:00

Peter Taoussanis 23276ac910 [#101 ] NB Change default encryption from AES-CBC to AES-GCM

Why?

- AES-GCM is faster and can be more secure, Ref. https://goo.gl/Dsc9mL, etc.
- AES-GCM is an authenticated[1] encryption mechanism, providing
automatic integrity checks. This is relevant to [#101].

What's the issue with #101?

- We compress then encrypt on freeze ; Reverse would make compression useless
- So we decrypt then decompress on thaw

Attempting CBC decryption with the wrong password will often but not
*always* throw. Meaning it's possible for decompression could be
attempted with a junk ba. And this can cause some decompressors to
fail in a destructive way, including large allocations (DDoS) or even
taking down the JVM in extreme cases.

Possible solutions?

- We could add our own HMAC, etc.
- And/or we could use something like AES-GCM which offers built-in
integrity and will throw an AEADBadTagException on failure.

There may indeed be reasons [2,3,4] to consider adding a custom HMAC -
and that's still on the cards for later.

But in the meantime, the overall balance of pros/cons seems to lean
in the direction of choosing AES-GCM as a reasonable default.

Note that the change in this commit is done in a backward-compatible
way using Nippy's versioned header: new payloads will be written using
AES-GCM by default. But old payloads already written using AES-CBC will
continue to be read using that scheme.

References
[1] https://en.wikipedia.org/wiki/Authenticated_encryption
[2] https://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html
[3] https://blog.cryptographyengineering.com/2011/12/04/matt-green-smackdown-watch-are-aead/
[4] HMAC vs AEAD integrity, https://crypto.stackexchange.com/q/24379
[5] AES-GCM vs HMAC-SHA256 integrity, https://crypto.stackexchange.com/q/30627

2019-01-06 14:13:34 +01:00

nippy/tests

[#101 ] NB Change default encryption from AES-CBC to AES-GCM

2019-01-06 14:13:34 +01:00