WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED INVALID
211777
SubtleCrypto.decrypt() - Decrypting with wrong AES-CBC key succeeds instead throwing an error
https://bugs.webkit.org/show_bug.cgi?id=211777
Summary
SubtleCrypto.decrypt() - Decrypting with wrong AES-CBC key succeeds instead t...
Pavel Bednar
Reported
2020-05-12 04:38:46 PDT
Created
attachment 399118
[details]
repro sample We are developing a bussiness app utilizing Web Crypto API. When user tryies to decrypt data with wrong key, SubtleCrypto.decrypt() should throw an error regarding to
https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/decrypt
. In Safari instead of an error it succeed and returns some mismatched data. This is serious bug since we do not have any means to detect unsuccessfull decryption Same test case in Chrome throws an error, also using another algorithm e.g. AES-CGM in safari also throw errors. It also worked in previous versions of Safari (we tested this several months ago and was throwing error). This bug seems to be related only to AES-CBS. Bellow I attached simple repro in javascript.
Attachments
repro sample
(1.92 KB, text/javascript)
2020-05-12 04:38 PDT
,
Pavel Bednar
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2020-05-12 13:55:30 PDT
<
rdar://problem/63152520
>
Jiewen Tan
Comment 2
2020-05-12 15:57:06 PDT
That's the design of the AES-CBC. Decryptions are designed to fail silently. Otherwise, attackers don't even need to examine the content the decrypted message to determine if the brute force attack succeeds or not. For integration protection, either adding HMAC to your cipher or using AES-GCM.
Pavel Bednar
Comment 3
2020-05-12 22:35:03 PDT
I cannot agree, few months it was working as expected. I dont see why decrypt method should behave inconsistently based on selected algorithm. AES-GCM in same repro throws an error. All major browsers throws an error (tested in Chrome, Firefox, Opera, Edge). Documentation says it should throw an error. Only webkit started to fail silently but just only for this particular algorithm. Unfortunately we are not able to upgrade AES-GCM or simply add HMAC since our custumers already have encrypted data in production and we have to maintain compatibility.
Jiewen Tan
Comment 4
2020-05-13 11:38:26 PDT
(In reply to Pavel Bednar from
comment #3
)
> I cannot agree, few months it was working as expected. I dont see why > decrypt method should behave inconsistently based on selected algorithm. > AES-GCM in same repro throws an error. All major browsers throws an error > (tested in Chrome, Firefox, Opera, Edge). Documentation says it should throw > an error. Only webkit started to fail silently but just only for this > particular algorithm. > > Unfortunately we are not able to upgrade AES-GCM or simply add HMAC since > our custumers already have encrypted data in production and we have to > maintain compatibility.
If you think this is a regression, then please provide information on when it works and when it starts failing.
Jiewen Tan
Comment 5
2020-05-13 11:43:55 PDT
(In reply to Pavel Bednar from
comment #3
)
> I cannot agree, few months it was working as expected. I dont see why > decrypt method should behave inconsistently based on selected algorithm. > AES-GCM in same repro throws an error. All major browsers throws an error > (tested in Chrome, Firefox, Opera, Edge). Documentation says it should throw > an error. Only webkit started to fail silently but just only for this > particular algorithm. > > Unfortunately we are not able to upgrade AES-GCM or simply add HMAC since > our custumers already have encrypted data in production and we have to > maintain compatibility.
BTW, MDM is not the spec. This is:
https://www.w3.org/TR/WebCryptoAPI/#aes-cbc-operations
. I don't think it suggests anything about throwing an error when decryptions fail.
Pavel Bednar
Comment 6
2020-05-14 05:06:00 PDT
Ok, can you please explain me, why decrypt() behaves differently for AES-GCM ? Why this algorithm throws an error. Is is not the same vulnerability?
Jiewen Tan
Comment 7
2020-05-14 11:27:15 PDT
(In reply to Pavel Bednar from
comment #6
)
> Ok, can you please explain me, why decrypt() behaves differently for AES-GCM > ? Why this algorithm throws an error. Is is not the same vulnerability?
AES-GCM throws exceptions because of integrity not decryption. It first checks the integrity of the cipher. If it fails, then it throws error. Once this point is passed, it behaves more or less the same as AES-CBC.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug