Vim cryptmethod uses SHA-256 for password-based key derivation

[atoponce]

On L421-L423 of src/blowfish.c, a sha256_key() function is created for password-based key derivation with a salt for blowfish. Unfortunately, even with 1,000 rounds, SHA-256 is designed to be fast, and can be parallelized with GPUs when brute forcing a file. Instead, the Blowfish key should be derived using bcrypt or scrypt. Both defeat parallelization on GPUs, and scrypt further defeats FPGAs.

[brammool]

Aaron Toponce wrote:

On
L421-L423
of src/blowfish.c, a sha256_key() function is created for
password-based key derivation with a salt for blowfish. Unfortunately,
even with 1,000 rounds, SHA-256 is designed to be fast, and can be
parallelized with GPUs when brute forcing a file. Instead, the
Blowfish key should be derived using
bcrypt or
scrypt. Both defeat
parallelization on GPUs, and scrypt further defeats FPGAs.

There have been ideas for a new crypt mechanism that is much stronger
than Blowfish. Unfortunately nobody has implemented it yet. Note that
this requires experience and/or knowledge about encryption, it's easy to
make mistakes that weaken the encryption significantly.

Microsoft: "Windows NT 4.0 now has the same user-interface as Windows 95"
Windows 95: "Press CTRL-ALT-DEL to reboot"
Windows NT 4.0: "Press CTRL-ALT-DEL to login"

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///

[tarcieri]

Note that unlike scrypt (or PBKDF2, or Argon2), bcrypt is not designed to be a KDF.

[atoponce]

Note that unlike scrypt (or PBKDF2, or Argon2), bcrypt is not designed to be a KDF.

Indeed. Bad recommendation on my part, although I wouldn't recommend Argon2 quite yet either. Scrypt seems to be the most fitting here.

[DemiMarie]

Argon2 is implemented in libsodium and is the winner of the Password Hashing Competition. It is designed as a KDF.

However, note that the rest of Vim's cryptmethod is also poorly implemented. My suggestion is to use Argon2 as a KDF and either XSalsa20-Poly1305 or XChaCha20-Poly1305 (with a strong, random nonce) for authenticated encryption.

To guard against possible corruption on disk, it might be useful to apply an error-correcting code to the ciphertext + auth tag prior to writing on disc.

libsodium provides high-level APIs for password hashing and authenticated encryption and is my strong suggestion.

[brammool]

Demetri Obenour wrote:

Argon2 is implemented in libsodium and is the winner of the
Password Hashing Competition. It is designed as a KDF.

However, note that the rest of Vim's cryptmethod is also poorly
implemented. My suggestion is to use Argon2 as a KDF and either
XSalsa20-Poly1305 or XChaCha20-Poly1305 (with a strong, random nonce)
for authenticated encryption.

libsodium provides high-level APIs for password hashing and
authenticated encryption and is my strong suggestion.

Libsodium looks interesting. The License is very liberal, it would
allow us to include the parts that we need in Vim. Although it appears
some individual files have a more restrictive license, need to check
each one.

This is C code, thus it should not be too difficult to add as a new
crypt algorithm in Vim.

From "know your smileys":
!-| I-am-a-Cylon-Centurian-with-one-red-eye-bouncing-back-and-forth

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///

[tarcieri]

There's also TweetNaCl if you want something smaller to vendor, although you'd have to vendor Argon2 separately:

https://tweetnacl.cr.yp.to/software.html

[vim-ml]

On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote:

Argon2 is implemented in libsodium and is the winner of the Password Hashing Competition. It is designed as a KDF.

However, note that the rest of Vim's cryptmethod is also poorly implemented. My suggestion is to use Argon2 as a KDF and either XSalsa20-Poly1305 or XChaCha20-Poly1305 (with a strong, random nonce) for authenticated encryption.

libsodium provides high-level APIs for password hashing and authenticated encryption and is my strong suggestion.

My thoughts on this are:

It's best to use a library. With a library we're going to get any security updates from people who presumably know what they're doing and spend time learning about exploits so they can address them in their code. Also researchers are actually likely to test an external library, but not Vim's internal code.

However it's useful to have something available on every system Vim supports, so I think something should be baked in, still. Also Vim needs to be able to read old files.

I think adding a 'cryptkdf' option would be a decent idea. Include something built-in; either copied from a library with a license that allows it (probably best), or something simple like PDKDF2 (we already have a SHA256 we could use a a building block). But also include an option for a library implementation of a few algorithms. Argon2 is a good idea but it's still pretty new so if a flaw is found another method would probably be nice to have already available, so maybe the choices could be something like 'pdkdf2', 'lib-scrypt', and 'lib-argon2' for starters.

The number of iterations is key for the security of these algorithms. I'm vaguely aware that scrypt and argon2 are also configurable in memory use, but I know a lot less about that. But regardless we'll want to allow configuring the KDF to scale with hardware without recompiling Vim. So a 'cryptkdfcount' or similar option should also be provided. I think a good way to do this would be to allow both numeric values, but also time values. For example, the user could do ":set cryptkdfcount=1s" and Vim would estimate how many iterations would take a full second on the current hardware and use that. 1-3 seconds is probably a reasonable default value as well.

Speaking of defaults: I think Vim should default to the strongest method available. I additionally think Vim should warn on saving with a known broken format such as the original blowfish implementation, or the zip algorithm, or even blowfish2 without a decent KDF. Maybe even compile without the broken algorithms altogether unless the user specifically passes --include-bad-crypto to the configure script or something.

As for blowfish: I'm not very concerned about the weaknesses in the algorithm for the specific uses Vim is likely to use it for, however having a better encryption algorithm available is much nicer. Nevertheless, I am a little concerned whether we know the algorithm is implemented properly. I'd like to see output from Vim's implementation matched up against output from a well-known library implementation. In theory with the same salt, same IV, and same key, I think they should be compatible.

I should note here that I'm also a little uneasy with the current salt/IV generation. Basically it's just one system time (in microseconds) and a hash (I doubt the rand() adds anything useful). That could be a lot better, using /dev/urandom for example where supported, or the equivalent. Or maybe hash system time (still in microseconds) with a previous hash periodically, say while waiting for user input or something; I'm not familiar with best practices when a good system-provided random source is missing. I say I'm "uneasy" because I doubt there's any good exploit for this in Vim's use scenarios, but it's documented widely that a good unpredictable IV is required for CBC mode encryption, so I don't get any warm fuzzies from the "random" code here.

Bram, are you already working on any of this? I have been thinking about starting an implementation of some of the above but that's a lot of work I don't want going to waste if you have other ideas. Maybe hashing out a top-level interface and goals, then making a fork for more distributed development, would be a decent idea? I don't think any halfway implementations will be useful, especially since we'll probably need to grow a blowfish3 or other cryptmethod to use the new KDF (preferably in a forwards-compatible way to handle other new KDFs that may come along in the future).

[paragonie-scott]

(Slight nit: it's PBKDF2. The acronym stands for "Password-Based Key Derivation Function #2".)

[vim-ml]

On Monday, March 21, 2016 at 11:00:31 AM UTC-5, Ben Fritz wrote:

On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote:

Argon2 is implemented in libsodium and is the winner of the Password Hashing Competition. It is designed as a KDF.

However, note that the rest of Vim's cryptmethod is also poorly implemented. My suggestion is to use Argon2 as a KDF and either XSalsa20-Poly1305 or XChaCha20-Poly1305 (with a strong, random nonce) for authenticated encryption.

libsodium provides high-level APIs for password hashing and authenticated encryption and is my strong suggestion.

My thoughts on this are:

Oh, and I forgot one more:

While there may not be any exploitable weakness related to non-authenticated encryption in Vim's case, we can't prove it. And, if such an attack exists, Vim will be vulnerable. If we're already modifying the crypto code (and we should, because the KDF is way too weak) then we may as well throw in a MAC to prevent the possibility of a chosen-ciphertext attack. It shouldn't harm anything and it could potentially help a lot. I say we re-open the issue that got created for non-authenticated encryption.

[vim-ml]

On Monday, March 21, 2016 at 11:04:15 AM UTC-5, Scott wrote:

(Slight nit: it's PBKDF2. The acronym stands for "Password-Based Key Derivation Function #2".)

Thanks, I knew that, I just was typing faster than I was thinking apparently. That's one of those acronyms I really need to expand out in my head before typing correctly. I do the same thing with IMDB which occasionally lands me on some interesting cyber-squatter pages. :-(

[vim-ml]

Ben Fritz wrote:

On Saturday, March 19, 2016 at 1:43:30 PM UTC-5, Demetri Obenour wrote:

Argon2 is implemented in libsodium and is the winner of the Password Hashing Competition. It is designed as a KDF.

However, note that the rest of Vim's cryptmethod is also poorly implemented. My suggestion is to use Argon2 as a KDF and either XSalsa20-Poly1305 or XChaCha20-Poly1305 (with a strong, random nonce) for authenticated encryption.

libsodium provides high-level APIs for password hashing and authenticated encryption and is my strong suggestion.

My thoughts on this are:

It's best to use a library. With a library we're going to get any
security updates from people who presumably know what they're doing
and spend time learning about exploits so they can address them in
their code. Also researchers are actually likely to test an external
library, but not Vim's internal code.

libsodium is currently at version 1.0.8. The version included with
Ubuntu is 1.0.3 ...

However it's useful to have something available on every system Vim
supports, so I think something should be baked in, still. Also Vim
needs to be able to read old files.

We could use configure to find a library and when it's not available or
older fall back to the built-in code.

Speaking of defaults: I think Vim should default to the strongest
method available. I additionally think Vim should warn on saving with
a known broken format such as the original blowfish implementation, or
the zip algorithm, or even blowfish2 without a decent KDF. Maybe even
compile without the broken algorithms altogether unless the user
specifically passes --include-bad-crypto to the configure script or
something.

This has the danger of writing a file on one system, go on holiday and
find out you can't open it on your laptop (that actually happened to me).

I think there should be some number of months between making a new
method available and making it the default.

The original blowfish encryption is not broken, it's just weaker than it
should be. It's still a lot stronger than zip.

Bram, are you already working on any of this? I have been thinking
about starting an implementation of some of the above but that's a lot
of work I don't want going to waste if you have other ideas. Maybe
hashing out a top-level interface and goals, then making a fork for
more distributed development, would be a decent idea? I don't think
any halfway implementations will be useful, especially since we'll
probably need to grow a blowfish3 or other cryptmethod to use the new
KDF (preferably in a forwards-compatible way to handle other new KDFs
that may come along in the future).

No, several people have given their opinion but nobody has done actual
work...

Laughing helps. It's like jogging on the inside.

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///

[vim-ml]

On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar Bram@moolenaar.net wrote:

Speaking of defaults: I think Vim should default to the strongest
method available. I additionally think Vim should warn on saving with
a known broken format such as the original blowfish implementation, or
the zip algorithm, or even blowfish2 without a decent KDF. Maybe even
compile without the broken algorithms altogether unless the user
specifically passes --include-bad-crypto to the configure script or
something.

This has the danger of writing a file on one system, go on holiday and
find out you can't open it on your laptop (that actually happened to me).

That makes some sense, however it only applies to people who edit the same
file on multiple systems, AND they don't have the same version of Vim on
each of those systems.

If you don't need that capability, having the old broken systems still in
the code makes it too easy to make a mistake that could compromise your
security.

DROWN recently showed some of the problems with keeping older known-broken
crypto code enabled by default. I think it makes sense to keep the code
there for people who deliberately choose to use it. But getting rid of it
by default can potentially remove an attack vector.

At the very least, we should warn when saving in an insecure format.

I think there should be some number of months between making a new
method available and making it the default.

OK, that's fair.

The original blowfish encryption is not broken, it's just weaker than it
should be. It's still a lot stronger than zip.

Is it? This page makes it sound like "blowfish" was pretty much completely
broken if you knew any of the plaintext: https://dgl.cx/2014/10/vim-blowfish

For example, if you had plugin that always writes a predictable header text
to an encrypted file before the actual sensitive data, the attacker would
know some plaintext. I'm certainly not comfortable using "blowfish",
knowing it had exploitable flaws fixed in blowfish2. I thought "blowfish"
was just around to let people read their old data (and hopefully convert to
blowfish2).

And while I can probably personally use a strong-enough passphrase to let
the current too-fast KDF for blowfish2 suffice, I wouldn't recommend it to
anyone else, since I know most people choose passwords that can fall way
too fast with modern tools and techniques. I'd consider "blowfish2" to be
broken for general use as well since you need a REALLY good password for
it to provide any long-term security guarantees. Once we increase the KDF
iterations sufficiently I would warn when saving in blowfish2 as well, in
favor of the new method(s) using a better KDF.

[vim-ml]

On Wed, Mar 23, 2016 at 5:51 PM, Benjamin Fritz fritzophrenic@gmail.com
wrote:

I thought "blowfish" was just around to let people read their old data
(and hopefully convert to blowfish2).

That reminds me of something else. Why isn't 'modified' set when you change
cryptmethod or the encryption password?

[vim-ml]

Ben Fritz wrote:

On Wed, Mar 23, 2016 at 4:58 PM, Bram Moolenaar Bram@moolenaar.net wrote:

Speaking of defaults: I think Vim should default to the strongest
method available. I additionally think Vim should warn on saving with
a known broken format such as the original blowfish implementation, or
the zip algorithm, or even blowfish2 without a decent KDF. Maybe even
compile without the broken algorithms altogether unless the user
specifically passes --include-bad-crypto to the configure script or
something.

This has the danger of writing a file on one system, go on holiday and
find out you can't open it on your laptop (that actually happened to me).

That makes some sense, however it only applies to people who edit the same
file on multiple systems, AND they don't have the same version of Vim on
each of those systems.

If you don't need that capability, having the old broken systems still in
the code makes it too easy to make a mistake that could compromise your
security.

DROWN recently showed some of the problems with keeping older known-broken
crypto code enabled by default. I think it makes sense to keep the code
there for people who deliberately choose to use it. But getting rid of it
by default can potentially remove an attack vector.

At the very least, we should warn when saving in an insecure format.

I think there should be some number of months between making a new
method available and making it the default.

OK, that's fair.

The original blowfish encryption is not broken, it's just weaker than it
should be. It's still a lot stronger than zip.

Is it? This page makes it sound like "blowfish" was pretty much completely
broken if you knew any of the plaintext: https://dgl.cx/2014/10/vim-blowfish

Your definition of broken is wrong. Broken means it doesn't work at
all. e.g., Vim crashes when using it, or when decrypting you can't get
back the original text. When do you call a car broken? When you can't
drive. Not when you can't open the window.

For example, if you had plugin that always writes a predictable header text
to an encrypted file before the actual sensitive data, the attacker would
know some plaintext. I'm certainly not comfortable using "blowfish",
knowing it had exploitable flaws fixed in blowfish2. I thought "blowfish"
was just around to let people read their old data (and hopefully convert to
blowfish2).

And while I can probably personally use a strong-enough passphrase to let
the current too-fast KDF for blowfish2 suffice, I wouldn't recommend it to
anyone else, since I know most people choose passwords that can fall way
too fast with modern tools and techniques. I'd consider "blowfish2" to be
broken for general use as well since you need a REALLY good password for
it to provide any long-term security guarantees. Once we increase the KDF
iterations sufficiently I would warn when saving in blowfish2 as well, in
favor of the new method(s) using a better KDF.

My favorite example is when I have some text that I don't want my
neighbor to read. Any encryption that Vim provides works for that.

Also keep in mind that, no matter how strong your encryption is, there
is always a weak point. Rembember key loggers? There never ever is
100% reliable encryption.

So please don't overreact.

hundred-and-one symptoms of being an internet addict:
107. When using your phone you forget that you don't have to use your
keyboard.

/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \
\ an exciting new programming language -- http://www.Zimbu.org ///
\ help me help AIDS victims -- http://ICCF-Holland.org ///