undefined | Better HN

story

0 pointsCiPHPerCoder7y ago0 comments

I haven't traced through the app's code to verify that is true.

Recommendation: If there is no HMAC tag with a ciphertext, immediately throw an exception. It makes it clearer that a decryption failure occurred (thus avoiding false positives).

0 comments

xxkylexx7y ago

It does do this [1], however, it is a little more complex since Bitwarden has to backwards-compat support old data that was AES-CBC encrypted from long ago before auth checks were implemented, while also combating against downgrade attacks. This same discussion was had back in January when you (I assume this is PIE Scott) reported the problem in issue 306171 on HackerOne which was closed out.

[1]: https://github.com/bitwarden/jslib/blob/master/src/services/...

CiPHPerCoderOP7y ago

Oh, this did seem familiar!

The AES-CBC thing is tied to the key, right? So the downgrade attack isn't possible.

xxkylexx7y ago

Yes, new account keys are identified (presence of a mac key) and block the downgrade (see code link above).

j / k navigate · click thread line to collapse

0 comments

xxkylexx7y ago

[1]: https://github.com/bitwarden/jslib/blob/master/src/services/...

CiPHPerCoderOP7y ago

Oh, this did seem familiar!

The AES-CBC thing is tied to the key, right? So the downgrade attack isn't possible.

xxkylexx7y ago

Yes, new account keys are identified (presence of a mac key) and block the downgrade (see code link above).

j / k navigate · click thread line to collapse