Vim cryptmethod is not authenticated

[atoponce]

When using cryptmethod=blowfish2, the saved ciphertext is not authenticated with a message authentication code ("MAC tag"). Consider saving "Lorem ipsum dolor sit amet, consectetur adipiscing elit." to a text file, and getting the SHA-256 digest of the ciphertext:

$ vim -x /tmp/lorem.txt
(Use "vim" as the passphrase)
$ sha256sum /tmp/lorem.txt
510e57357353d511dac719bc238900456332ca0e4c00bcf12d244fdc66355f8e  /tmp/lorem.txt

Now deliberately corrupt the file:

$ dd seek=50 conv=notrunc bs=1 count=10 if=/dev/urandom of=/tmp/lorem.txt
10+0 records in
10+0 records out
10 bytes copied, 0.000293754 s, 34.0 kB/s

Notice the SHA-256 digest has changed. Open the file, and notice that the plaintext has changed:

$ sha256sum /tmp/lorem.txt 
f17d3494643ed8bef5f0ba7fd67af6682f0332a0bccf52e9a2640604bec0b111  /tmp/lorem.txt
$ vim -x /tmp/lorem.txt
(Use "vim" as the passphrase)

I get "Lorem ipsum dolor sit £ÕH<8a>`7^T¸³­#÷f;Qüצadipiscing elit." returned. Your mileage may vary.

If the ciphertext was authenticated with a cryptographically secure hashing function (Skein by Bruce Schneier would be fitting, given the use of his Blowfish algorithm as the symmetric cipher), and if the MAC tag was calculated on the ciphertext, then when attempting to decrypt, if the MAC tag did not match the newly calculated MAC tag, Vim should error out, rather than decrypting and displaying the file. See the Wikipedia article on "Encrypt-then-MAC".

Vim should use "Encrypt-then-MAC" authenticated encryption when using cryptmethod.

[tarcieri]

I brought up a similar issue with neovim, suggesting crypto be removed: neovim/neovim#694 (and they did indeed remove it)

Using malleable, unauthenticated cryptography exposes you to a whole class of attacks which modern authenticated ciphers prevent. You should really use the latter.

As to the threat model and specific attacks, we can try to talk about that, but really most excuses I've seen people make about failing to move to modern, authenticated ciphers have only lead to additional attacks. See also @moxie0's The Cryptographic Doom Principle:

http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/

[atoponce]

Looks like you're including sha256.c for sha256_key() with the password rotation. You could use HMAC-SHA256 instead for your MAC, so you won't need to bring in any additional code.

However, instead of key derivation using SHA-256, you should look at using bcrypt. I'll create a separate issue for this. See #639.

[brammool]

Aaron Toponce wrote:

When using cryptmethod=blowfish2, the saved ciphertext is not
authenticated with a message authentication code ("MAC tag"). Consider
saving "Lorem ipsum dolor sit amet, consectetur adipiscing elit." to a
text file, and getting the SHA-256 digest of the ciphertext:

$ vim -x /tmp/lorem.txt
(Use "vim" as the passphrase)
$ sha256sum /tmp/lorem.txt
510e57357353d511dac719bc238900456332ca0e4c00bcf12d244fdc66355f8e  /tmp/lorem.txt

Now deliberately corrupt the file:

$ dd seek=50 conv=notrunc bs=1 count=10 if=/dev/urandom of=/tmp/lorem.txt
10+0 records in
10+0 records out
10 bytes copied, 0.000293754 s, 34.0 kB/s

Notice the SHA-256 digest has changed. Open the file, and notice that
the plaintext has changed:

$ sha256sum /tmp/lorem.txt 
f17d3494643ed8bef5f0ba7fd67af6682f0332a0bccf52e9a2640604bec0b111  /tmp/lorem.txt
$ vim -x /tmp/lorem.txt
(Use "vim" as the passphrase)

I get "Lorem ipsum dolor sit £ÕH<8a>`7^T¸³­#÷f;Qüצadipiscing elit."
returned. Your mileage may vary.

So? The encryption is meant to avoid other people, who don't have the
key, from reading the text. It does not have the goal of protecting
manipulation of the text, that is something else. You could add a
checksum even when not using encryption. I believe it's called signing.

Adding a checksum actually makes breaking the encryption easier. I don't
know by how much, it depends on a way to check if the decription seemed
to have worked. That can be avoided by performing another operation
first, e.g. compressing the text.

If the ciphertext was authenticated with a cryptographically secure
hashing function
(Skein by
Bruce Schneier would be fitting, given the use of his Blowfish
algorithm as the symmetric cipher), and if the MAC tag was calculated
on the ciphertext, then when attempting to decrypt, if the MAC tag did
not match the newly calculated MAC tag, Vim should error out, rather
than decrypting and displaying the file. See the Wikipedia article on
"Encrypt-then-MAC".

Vim should use "Encrypt-then-MAC" authenticated encryption when using
cryptmethod.

It's possible to add this as a new crypt method, for those people who
need to protect their text from being changed by others.

This is an airconditioned room, do not open Windows.

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///

[atoponce]

So? The encryption is meant to avoid other people, who don't have the key, from reading the text. It does not have the goal of protecting manipulation of the text, that is something else. You could add a checksum even when not using encryption. I believe it's called signing.

There are some subtle differences between checksums, digital signatures, and message authentication codes:

Checksums only provide anonymous data integrity. The problem with blind checksums in ciphertext, is anyone can replace the checksum after replacing or modifying the ciphertext.

Digital signtaures are usually associated with public key cryptography, and imply a physical personality. IE: John Doe signed this data with his private key. Digital signatures provide data integrity attached to personal identity, and provide non-repudiation.

Message authentication codes (MAC tags) are similar to digital signatures, but used with symmetric cryptography. They are anonymous "digital signatures", in that they provide data integrity, while also providing authentication via the use of a secret key only selected privileged parties have access to. No personal identity is attached to the MAC.

The goal with this issue, is to provide authenticated encryption to the ciphertext, so not only is data integrity maintained, but also prevents external modification without knowledge of the authentication key to produce a new MAC. So, not only do we get data privacy with Blowfish, but we get authentication with HMAC-SHA256.

[tarcieri]

However, instead of key derivation using SHA-256, you should look at using bcrypt.

bcrypt is not intended to be used as a KDF (unlike PBKDF2 or scrypt)

Issues like this are why rolling your own crypto is a bad idea.

I would suggest removing all of the existing homebrew crypto code (as neovim did) and adding first class support for a tool like GPG for doing encryption.

[atoponce]

bcrypt is not intended to be used as a KDF (unlike PBKDF2 or scrypt)

Indeed. That was a bad recommendation (this crypto stuff is full of sharp edges- who knew? :) )

I would suggest removing all of the existing homebrew crypto code (as neovim did) and adding first class support for a tool like GPG for doing encryption.

I fully support this also. "-x" is nice for those who don't want to manage their own keys. But, as shown in this ticket and #639, it's weak and falls victim to all sorts of problems, and fixing it isn't exactly "easy".

[chrisbra]

On Di, 16 Feb 2016, Tony Arcieri wrote: I would suggest removing all of the existing homebrew crypto code (as neovim did) and adding first class support for a tool like GPG for doing encryption.

What problem does that fix? And how are users supposed to open existing encrypted files then?

[tarcieri]

What problem does that fix?

It would fix both the issues with weak key derivation (which could allow passwords to be brute forced) and malleable ciphertexts.

GPG, despite its warts, has after a great deal of time generally managed to get the crypto right.

And how are users supposed to open existing encrypted files then?

The existing crypto could be left in in a read-only capacity for a bit to allow recovery of old encrypted files, but ideally it'd be removed altogether (as neovim did)

[vim-ml]

On Monday, February 15, 2016 at 10:19:46 PM UTC-6, Tony Arcieri wrote:

I brought up a similar issue with neovim, suggesting crypto be removed: neovim/neovim#694

Using malleable, unauthenticated cryptography exposes you to a whole class of attacks which modern authenticated ciphers prevent. You should really use the latter.

In communication over an untrusted network, sure. Absolutely.

But what sorts of attacks does this leave you vulnerable for local storage on one computer where the "receiver" of the data is the same person as the "sender"? This isn't Alice, Bob, and Eve. This is Alice trying to protect a file from someone who comes along afterward and can't manipulate or learn about any of the encryption in real time.

If you're worried about someone being able to write files on the machine, then what about a script that creates a file in ~/.vim/plugin, which will install an autocmd to dump a plaintext copy of a buffer any time it sees that encryption is enabled after reading the file? That would be a much easier attack with much higher chances of success, and probably less chance of detection.

Or just get access to the memory of the Vim process somehow, since apparently you can run arbitrary processes on the system.

As Bram points out, Vim's encryption isn't trying to protect the integrity of data. Only its secrecy.

If I'm missing an attack vector here that compromises the ability to keep the plaintext secret, please enlighten me, and I'd be more than happy to see Vim's encryption go (or get fixed).

As to the threat model and specific attacks, we can try to talk about that, but really most excuses I've seen people make about failing to move to modern, authenticated ciphers have only lead to additional attacks. See also @moxie0's The Cryptographic Doom Principle:

http://www.thoughtcrime.org/blog/the-cryptographic-doom-principle/

This article seems to talk entirely about point-to-point protocols with an eavesdropper (with active attacks even, not just passive listening). That's nothing like what Vim is doing. And the attacks listed there rely on the MAC, which as you point out, Vim omits anyway. AND they are timing attacks, which if you have the capability to carry out on Vim's encryption, you could do much easier and more effective attacks anyway as I point out above.

[tarcieri]

@vim-ml (not sure exactly sure who I'm talking to, but hi there some random person on the mailing list!)

Ok, let's talk about threat models.

The set of threat models where confidentiality matters but integrity does not is vanishingly small.

But what sorts of attacks does this leave you vulnerable for local storage on one computer where the "receiver" of the data is the same person as the "sender"?

If there's only one party, we don't need encryption at all! If we have a computer that only one person ever interacts with ever (i.e. a non-networked, airgapped computer stored in a secure physical location), then there's no threat. If you believe the integrity of the file does not matter, that's because you're assuming one of the following:

1. There is no attacker
2. There is an attacker who has read-only access to the file but is unable to manipulate it

The former is irrelevant to me: if there are no attackers we don't need cryptography... problem solved! In the case of the latter, you're assuming there is an attacker but are relying on OS-level protections to preserve the integrity of the file.

However, if we assume the OS can preserve the integrity of the file, why not the confidentiality? Just set the appropriate POSIX file permissions, and again, we don't need cryptography: the OS is preserving the confidentiality of the file for us. Just don't make the file world readable or accessible by any user or group the attacker may possibly belong to. Problem solved!

There is pretty much one threat model (ok, two if we count LFD) under which confidentiality is important and integrity is not: full disk encryption. In this threat model, I lose my device. I never get it back. An attacker now has physical access to the device, but not the credentials to unlock it. We want to prevent the attacker from accessing data on the device.

If that's the threat: use full-disk encryption. It's implemented by people who know what they're doing. It covers all files on the device, not just any given particular one. It also lets you unlock the entire device with the same credential you use to log in, as opposed to a separate credential per file.

So the question is: in what use cases is vim encryption actually helpful? There are things like local file disclosure attacks / "directory traversal" which a confidentiality-only mechanism can help you in. But this is where we get to what I'll call the "lead paint" analogy.

Once in a simpler, more naive time, they put lead in paint. Turns out lead is toxic, and we can make paint without lead.

Should we switch? Switching is hard. Can't we just tell people not to eat the paint chips and to take proper care to use gloves and not come in physical contact with the paint when painting, and not to lick the walls?

We can put big warnings on the product not to do this! But people are still going to eat the paint chips anyway. If they get sick, whose fault is it?

You can try to educate people about the hyperspecific threat model unauthenticated, malleable, "obsolete" cryptography which protects only confidentiality but not integrity prevents. "WARNING: only helpful against local file disclosure attacks!" If people don't pay attention to these warnings, it's their own damn fault, right? Just blame the cryptographic user if any problems occur.

Or you can get rid of the lead, and switch to modern authenticated encryption modes, and protect from a much broader range of threats.

Here is the state of vim's encryption:

1. It's not just using malleable, unauthenticated cryptography which is bad because of the very limited number of threats it protects against...
2. It's using a weak password-based key derivation algorithm which is vulnerable to brute force attacks
3. It's using a cipher (Blowfish) whose creator does not recommend using it anymore: "At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead." -- Bruce Schneier
4. It's using a cipher with a small block size (64-bits)
5. It's using a cipher vulnerable to reflectively weak key attacks
6. It's using an on-disk format which is incompatible with anything except vim

This is bad cryptography. Your argument is the user should understand the very limited set of threats it protects against. They probably don't. Someone is going to eat those lead paint chips.

There are better options available. We have the technology.

Why do you think it's a good idea to keep shipping non-interoperable, obsolete crypto full of sharp edges?

[paragonie-scott]

And the attacks listed there rely on the MAC, which as you point out, Vim omits anyway. AND they are timing attacks, which if you have the capability to carry out on Vim's encryption, you could do much easier and more effective attacks anyway as I point out above.

The set of attacks that apply against "we fucked up our protocol and shipped something other than Encrypt-Then-MAC" is much, much smaller than the set of attacks that apply against "we don't authenticate at all".

The most trivial example of an attack against unauthenticated encryption was Serge Vaudenay's CBC padding oracle attack against CBC mode (which is similar to CFB mode).

[everything @tarcieri said]

100% agreement. Encryption for the sake of encryption is a bad model. It should have a defined purpose within an explicitly defined threat model in terms of how real users would use the system.

Vim would be much better off migrating away from offering this "feature" and encouraging Full Disk Encryption instead, i.e. dm_crypt.

[chrisbra]

Vim would be much better off migrating away from offering this "feature" and encouraging Full Disk Encryption instead, i.e. dm_crypt.

That only works, if you are allowed to (e.g. have the privilige) full encrypt your system and full encryption is available on your system. I am not sure about the latter for Windows, since Truecrypt has been abandonded two years ago.

Having said that, I am sure, nobody would be opposed to improvements to the crypt feature. But code speaks louder than words...

[tarcieri]

Having said that, I am sure, nobody would be opposed to improvements to the crypt feature. But code speaks louder than words...

Bad encryption isn't worth providing. If the encryption is broken, you should follow TrueCrypt's example and switch to a read-only mode which allows files encrypted in vim's broken, proprietary on-disk format to be migrated to, e.g. GPG:

http://truecrypt.sourceforge.net/

re: code, NeoVim already purged this same feature. Their patch could be adopted upstream:

neovim/neovim#694

[chrisbra]

I am not sure, why you are always mention Neovim. We are not Neovim here and we are not talking about a broken encryption here.

[tarcieri]

@chrisbra I think I've done a fairly good job describing why the cryptography vim ships is broken. If you have an actual technical argument against anything I've said, please let me know.

But I'll ask you again: Why do you think it's a good idea to keep shipping non-interoperable, obsolete crypto full of sharp edges?