boxcryptor-single-file-decryptor VS Tink

TL;DR: this code should've never passed audit. I've found numerous problems, but I'll focus on the attack that lets someone successfully manipulate a ciphertext and have it successfully decrypt as something else. While the audit report says "Boxcryptor is not enforcing integrity [of ciphertexts]," this attack can let an adversary decrypt a (short) ciphertext, given a padding oracle. This company should've never rolled their own crypto in response to Authenticated Encryption, which has been solved, if you just use a pre-existing library.

I'm surprised that this code has a "successful" audit. The cryptography _protocol_ that is implemented in the linked github repo (https://github.com/secomba/boxcryptor-single-file-decryptor) has several flaws (in addition to having some bad code practices that I'll skip over since this repo is supposed to only document the encryption protocols).

First, the authors' problems appear to stem from their choice to manually implement an unusual (and inefficient) construction of the Authenticated Encryption primitive. Authenticated Encryption is the most common crypto primitive that people when they say "they want encryption." It's placed front-and-center in libsodium, ring, mundane, tink, monocypher, and every modern cryptography library that I've seen, since it is such a common operation. Modern Authenticated Encryption constructions include: AES-GCM, (X)ChaCha20-Poly1305. While there exist others, the industry has converged on these two as the standard.

These block cipher modes did not emerge for no reason. The cryptography community has steadily iterated on what the default should be when somebody asks, "how can I encrypt my file." We've arrived at these constructions, in particular, because previous constructions have had security flaws.

The authors of this repo have chosen to use the following protocol (for decryptDataPBKDF2):

1. Derive two keys (KE, KH) from a password string using PBKDF2. KE is the encryption key used with AES, and KH is an HMAC key (used for multiple purposes, which is problematic).

> I wonder what people say when they find a bug despite you using standard crypto?

Not using TLS doesn't automatically mean you need to "roll your own crypto". They could have used a well documentend library such as Google Tink[1] instead of doing their own crypto.

[1] https://github.com/google/tink

I sort of rewrote google's tink project in rust. There is already a rust version by project oak but it didn't exactly jive.

PassManager uses the Tink library for encryption, which provides state-of-the-art** security for your passwords. Tink uses industry-standard encryption algorithms like AES to ensure that your passwords are kept safe from prying eyes.

Note that in the example jwt refers to the Tink jwt package.

What I can't tell is if the new version had any fixes related to the bug being discussed here

Even the slightest hiccup could leave me vulnerable. I don't want to roll my own encryption. I want to use something like tink (a secure crypto library by Google) but unfortunately they don't support node or Javascript (there's a library that was published 2 years ago).

I dont have an answer for you, but 2 resources that are worth checking out: https://developer.android.com/guide/topics/security/cryptography and https://developers.google.com/tink

> Do C (or something where the mapping to C is known), and lots of languages have FFI libs where wrapping that is fairly trivial

That is an interesting idea, yet still a lot of work, sadly. I was hoping somebody had done the legwork already. I looked at Tink [1] and age [2] based on my co-worker's recommendation, but they all seem to have limited implementations in other languages.

[1] https://github.com/google/tink

[2] https://github.com/FiloSottile/age