Crypto Fails

Archive Ask Crypto Questions About Reasoning by Lego: A flawed perspective on cryptography. Scott Arciszewski from Paragon Initiative directed me to this example of PHP cryptography.

The code is indeed poor, and the crypto design has significant flaws. However, as is customary for this blog, we can extract some valuable lessons from it. Let’s set aside the fact that it uses MCRYPT_RIJNDAEL_256 (the 256-bit block variant of Rijndael, which is not AES) instead of MCRYPT_RIJNDAEL_128 (the actual AES), the lack of return value checks for substr(), and the issue of passing a hexadecimal-encoded key to a function that requires a binary string. I have previously addressed all these shortcomings in this blog, so I will not revisit them here. Instead, let’s concentrate on two key points. First, the code implements a “MAC then Encrypt” (MtA) approach, meaning the Message Authentication Code (MAC) is applied to the plaintext message prior to encryption, which goes against contemporary cryptographic best practices. Second, the MAC is verified using a non-timing-safe comparison. This vulnerability allows an attacker to glean information about how much of the MAC matches by measuring the timing of failed decryption attempts with high precision. In contrast, in an “Encrypt then MAC” (EtM) design, where the MAC is applied to the ciphertext after encryption, such a timing leak could potentially allow message forgery. However, in this instance, since the MAC is embedded within the ciphertext and encrypted, exploiting this vulnerability may initially appear more challenging. Indeed, this issue has been raised previously.