Re: [key4.db] IV size for aes256-CBC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [key4.db] IV size for aes256-CBC

Matthew N.
Hi Louis,

The dev-tech-crypto mailing list I'm redirecting this to should be able to
get you an answer.

Thanks,
MattN


On Fri, Mar 27, 2020 at 8:51 AM Louis Abraham <[hidden email]>
wrote:

> Hi,
>
> I'm the main developer of https://github.com/louisabraham/ffpass
> We are currently trying to accommodate the (not so) recent cryptographic
> changes in key4.db.
>
> If I understand correctly, key4.db contains a table metadata. The value
> item2 defines a cryptographic algorithm in the DER format.
>
> In the latest version of Firefox, this algorithm is PBES2, using
> aes256-CBC as the encryption algorithm.
>
> I'm facing a little problem when trying to execute aes256-CBC because the
> IV size is only 14 bytes (56 bits) instead of the 64 bits defined in the
> spec.
>
> Could you please help me to understand?
>
> Best,
> Louis
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [key4.db] IV size for aes256-CBC

Mozilla - Cryptography mailing list
Hi Matthew,

Awesome, thanks and sorry for contacting the wrong list!

Since then, I found the answer to the 14 bytes question:
https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49
Basically the DER encoding is used instead for compatibility with a bugged
implementation.

I tried prepending b'\x04\x0e' to DER-encode the IV. However, the value I
get makes no sense (and even has an incorrect padding according to pkcs7
<https://tools.ietf.org/html/rfc2315>).


Best,

Louis

Le ven. 27 mars 2020 à 19:57, Matthew N. <[hidden email]> a écrit :

> Hi Louis,
>
> The dev-tech-crypto mailing list I'm redirecting this to should be able to
> get you an answer.
>
> Thanks,
> MattN
>
>
> On Fri, Mar 27, 2020 at 8:51 AM Louis Abraham <[hidden email]>
> wrote:
>
>> Hi,
>>
>> I'm the main developer of https://github.com/louisabraham/ffpass
>> We are currently trying to accommodate the (not so) recent cryptographic
>> changes in key4.db.
>>
>> If I understand correctly, key4.db contains a table metadata. The value
>> item2 defines a cryptographic algorithm in the DER format.
>>
>> In the latest version of Firefox, this algorithm is PBES2, using
>> aes256-CBC as the encryption algorithm.
>>
>> I'm facing a little problem when trying to execute aes256-CBC because the
>> IV size is only 14 bytes (56 bits) instead of the 64 bits defined in the
>> spec.
>>
>> Could you please help me to understand?
>>
>> Best,
>> Louis
>>
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [key4.db] IV size for aes256-CBC

Robert Relyea
On 03/27/2020 12:21 PM, Louis Abraham wrote:

> Hi Matthew,
>
> Awesome, thanks and sorry for contacting the wrong list!
>
> Since then, I found the answer to the 14 bytes question:
> https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49
> Basically the DER encoding is used instead for compatibility with a
> bugged implementation.
>
> I tried prepending |b'\x04\x0e'| to DER-encode the IV. However, the
> value I get makes no sense (and even has an incorrect padding
> according to pkcs7 <https://tools.ietf.org/html/rfc2315>).
>
>
> Best,
>
> Louis
>
The IV length is still 16 bytes, but only 14 are randomly generated.
It's because the decoding code had a bug in it that requires the IV to
look like der encoded data, so the header needed to be added, but the
whole IV was used (including the 2 byte header) when encrypting/decrypting.

The goal of the AES-256 bit code was  to encode AES-256 while allowing
older versions of NSS to still decrypt the new keys, since versions of
NSS may share their databases with other NSS applications running on
other machines.

bob

>
> Le ven. 27 mars 2020 à 19:57, Matthew N. <[hidden email]
> <mailto:[hidden email]>> a écrit :
>
>     Hi Louis,
>
>     The dev-tech-crypto mailing list I'm redirecting this to should be
>     able to get you an answer.
>
>     Thanks,
>     MattN
>
>
>     On Fri, Mar 27, 2020 at 8:51 AM Louis Abraham
>     <[hidden email] <mailto:[hidden email]>> wrote:
>
>         Hi,
>
>         I'm the main developer of https://github.com/louisabraham/ffpass
>         We are currently trying to accommodate the (not so) recent
>         cryptographic changes in key4.db.
>
>         If I understand correctly, key4.db contains a table metadata.
>         The value item2 defines a cryptographic algorithm in the DER
>         format.
>
>         In the latest version of Firefox, this algorithm is PBES2,
>         using aes256-CBC as the encryption algorithm.
>
>         I'm facing a little problem when trying to execute aes256-CBC
>         because the IV size is only 14 bytes (56 bits) instead of the
>         64 bits defined in the spec.
>
>         Could you please help me to understand?
>
>         Best,
>         Louis
>

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [key4.db] IV size for aes256-CBC

laurent.clevy
On Monday, March 30, 2020 at 6:28:55 PM UTC+2, Robert Relyea wrote:

> On 03/27/2020 12:21 PM, Louis Abraham wrote:
> > Hi Matthew,
> >
> > Awesome, thanks and sorry for contacting the wrong list!
> >
> > Since then, I found the answer to the 14 bytes question:
> > https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49
> > Basically the DER encoding is used instead for compatibility with a
> > bugged implementation.
> >
> > I tried prepending |b'\x04\x0e'| to DER-encode the IV. However, the
> > value I get makes no sense (and even has an incorrect padding
> > according to pkcs7 <https://tools.ietf.org/html/rfc2315>).
> >
> >
> > Best,
> >
> > Louis
> >
> The IV length is still 16 bytes, but only 14 are randomly generated.
> It's because the decoding code had a bug in it that requires the IV to
> look like der encoded data, so the header needed to be added, but the
> whole IV was used (including the 2 byte header) when encrypting/decrypting.
>
> The goal of the AES-256 bit code was  to encode AES-256 while allowing
> older versions of NSS to still decrypt the new keys, since versions of
> NSS may share their databases with other NSS applications running on
> other machines.
>
> bob
> >
> > Le ven. 27 mars 2020 à 19:57, Matthew N. <[hidden email]
> > <mailto:[hidden email]>> a écrit :
> >
> >     Hi Louis,
> >
> >     The dev-tech-crypto mailing list I'm redirecting this to should be
> >     able to get you an answer.
> >
> >     Thanks,
> >     MattN
> >
> >
> >     On Fri, Mar 27, 2020 at 8:51 AM Louis Abraham
> >     <[hidden email] <mailto:[hidden email]>> wrote:
> >
> >         Hi,
> >
> >         I'm the main developer of https://github.com/louisabraham/ffpass
> >         We are currently trying to accommodate the (not so) recent
> >         cryptographic changes in key4.db.
> >
> >         If I understand correctly, key4.db contains a table metadata.
> >         The value item2 defines a cryptographic algorithm in the DER
> >         format.
> >
> >         In the latest version of Firefox, this algorithm is PBES2,
> >         using aes256-CBC as the encryption algorithm.
> >
> >         I'm facing a little problem when trying to execute aes256-CBC
> >         because the IV size is only 14 bytes (56 bits) instead of the
> >         64 bits defined in the spec.
> >
> >         Could you please help me to understand?
> >
> >         Best,
> >         Louis
> >

Hi Robert,

For PBKDF2, why the iteration value is only 1  by default ?
the recommandation is 10000: https://cryptosense.com/blog/parameter-choice-for-pbkdf2/

is it the value 1 in this ASN1 data ?

       SEQUENCE {
         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
         SEQUENCE {
           OCTETSTRING b'f92dde91809b8b00c6607b73f3d0321c80f930aa13f13da5293aede76ee92048'
           INTEGER b'01' <----- iterations ?
           INTEGER b'20'
           SEQUENCE {
             OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
           }
         }
       }

Laurent,
author of https://github.com/lclevy/firepwd
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: [key4.db] IV size for aes256-CBC

Robert Relyea
On 04/22/2020 01:21 AM, [hidden email] wrote:

> On Monday, March 30, 2020 at 6:28:55 PM UTC+2, Robert Relyea wrote:
>> On 03/27/2020 12:21 PM, Louis Abraham wrote:
>>> Hi Matthew,
>>>
>>> Awesome, thanks and sorry for contacting the wrong list!
>>>
>>> Since then, I found the answer to the 14 bytes question:
>>> https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49
>>> Basically the DER encoding is used instead for compatibility with a
>>> bugged implementation.
>>>
>>> I tried prepending |b'\x04\x0e'| to DER-encode the IV. However, the
>>> value I get makes no sense (and even has an incorrect padding
>>> according to pkcs7 <https://tools.ietf.org/html/rfc2315>).
>>>
>>>
>>> Best,
>>>
>>> Louis
>>>
>> The IV length is still 16 bytes, but only 14 are randomly generated.
>> It's because the decoding code had a bug in it that requires the IV to
>> look like der encoded data, so the header needed to be added, but the
>> whole IV was used (including the 2 byte header) when encrypting/decrypting.
>>
>> The goal of the AES-256 bit code was  to encode AES-256 while allowing
>> older versions of NSS to still decrypt the new keys, since versions of
>> NSS may share their databases with other NSS applications running on
>> other machines.
>>
>> bob
>>> Le ven. 27 mars 2020 à 19:57, Matthew N. <[hidden email]
>>> <mailto:[hidden email]>> a écrit :
>>>
>>>      Hi Louis,
>>>
>>>      The dev-tech-crypto mailing list I'm redirecting this to should be
>>>      able to get you an answer.
>>>
>>>      Thanks,
>>>      MattN
>>>
>>>
>>>      On Fri, Mar 27, 2020 at 8:51 AM Louis Abraham
>>>      <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>          Hi,
>>>
>>>          I'm the main developer of https://github.com/louisabraham/ffpass
>>>          We are currently trying to accommodate the (not so) recent
>>>          cryptographic changes in key4.db.
>>>
>>>          If I understand correctly, key4.db contains a table metadata.
>>>          The value item2 defines a cryptographic algorithm in the DER
>>>          format.
>>>
>>>          In the latest version of Firefox, this algorithm is PBES2,
>>>          using aes256-CBC as the encryption algorithm.
>>>
>>>          I'm facing a little problem when trying to execute aes256-CBC
>>>          because the IV size is only 14 bytes (56 bits) instead of the
>>>          64 bits defined in the spec.
>>>
>>>          Could you please help me to understand?
>>>
>>>          Best,
>>>          Louis
>>>
> Hi Robert,
>
> For PBKDF2, why the iteration value is only 1  by default ?
> the recommandation is 10000: https://cryptosense.com/blog/parameter-choice-for-pbkdf2/
>
> is it the value 1 in this ASN1 data ?
>
>         SEQUENCE {
>           OBJECTIDENTIFIER 1.2.840.113549.1.5.12 pkcs5 PBKDF2
>           SEQUENCE {
>             OCTETSTRING b'f92dde91809b8b00c6607b73f3d0321c80f930aa13f13da5293aede76ee92048'
>             INTEGER b'01' <----- iterations ?
>             INTEGER b'20'
>             SEQUENCE {
>               OBJECTIDENTIFIER 1.2.840.113549.2.9 hmacWithSHA256
>             }
>           }
>         }
>
> Laurent,
> author of https://github.com/lclevy/firepwd

There's a separate patch the increases is supposed to increase the
iteration count. I believe it landed after the AES changes.

bob


--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto