Lack of key commitment - Different users receiving different plaintexts #570
Closed
emanjon
started this conversation in
Spec feedback
Replies: 1 comment
-
|
Seems like this is already considered. I missed the MAC in the header. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Thanks for implementing and maintaining this. This seems like a huge improvement over the archaic OpenSSL and GPG file encryption applications. All Linux distributions should ship with an acceptable file encryption application.
I read the format specification
https://github.com/C2SP/C2SP/blob/main/age.md
It seems to me that due to the lack of key commitment in ChaCha20-Poly1305 makes it easy for a sender to create an encrypted file that two recipients decrypts to different plaintexts. This kind of attack is for example described under Envelope Encryption in [1]. How bad it is depends on the use case but it does not seen like a thing you want in your file encryption system. I would suggest that version 2 of age have key committing encryption. In the long-term future it would be nice if NIST's future accordion mode [2] is used.
[1] "How to Abuse and Fix Authenticated Encryption Without Key Commitment"
https://www.usenix.org/system/files/sec22summer_albertini.pdf
[2] Proposal of Requirements for an Accordion Mode
https://csrc.nist.gov/files/pubs/other/2024/04/10/proposal-of-requirements-for-an-accordion-mode-dis/iprd/docs/proposal-of-requirements-for-an-accordion-mode-discussion-draft.pdf
Beta Was this translation helpful? Give feedback.
All reactions