Weak Encryption
JavaDerg opened this issue ยท 3 comments
Confirmation
- I have read the wiki
Bug description
Hello,
I decided to have a look at the encryption used, and I found a few issues.
I am making this a public disclosure as I believe the impact of these findings to be generally minimal, considering the threat model of this mod.
This mod uses AES/CBC/PKCS5Padding with server provided 128bit keys and a random 128bit nonce per packet.
- AES/CBC is not authenticated, packets altered in transmission may not be detected
- PKCS5 is not meant to be used with AES and provide insufficient padding
- AES/CBC is vulnerable to the padding oracle attack, which may lead to key recovery by an attacker
Possible Solution:
A preamble, I'm not a cryptographer, at best a novice, take this proposal with a big grain of salt.
Use AES/GCM/NoPadding, and switch to deterministic nonces, as GCM limits nonce sizes to 96 bits.
I'm personal not a fan of AES-GCM as it has different issues, but this is a quick and decent fix for these issues.
Use a counter for nonces, make the client count from 0, the server from 2^96-1 towards 0.
This isn't a great solution, but setting the worst case of 2^32 packets per day (about ~50000/s) from either peer, both would collide after around 2^63 days.
Additionally, this would allow for rejecting packets arrived out of order, which would also prevent replay attacks.
Minecraft version
N/A
Mod/Plugin version
N/A
Mod/Plugin loader and version
N/A
Steps to reproduce
N/A
Expected behavior
No response
Log files
N/A
Screenshots
No response
Unfortunately I am not able to change the encryption or it would break compatibility with older clients.
What you mentioned is also pretty unrealistic.
I am also heavily limited by the ciphers that are provided by Java 8.
Theres also a disclaimer on the description about this.
Respectfully, I disagree. This is also a reason why versioning in cryptographic protocols is important.
I understand the requirement of backwards compatibility, but this is what major versions are for, at minimum this could be a change for releases for future Minecraft versions.
Furthermore, AES/GCM/NoPadding is available under Java 8.
In regard to the disclaimer, as that is a valid disclaimer to have, it is not an excuse to not fix security issues as they arise. If there is no future intend to fix those issue, I request this disclaimer to be updated to reflect that issues with the encryption are known.