Incorrect IV generation for encryption
Block ciphers make use of random, unique values in order to initialize the algorithm when there is a feedback from one round to the next. Those values are commonly known as Initialization Vectors or IVs. IVs are public (they are attached to the resulting ciphertext) and therefore they must never be reused, and must be generated by a proper Cryptographically Secure Pseudo Random Number Generator (CSPRNG) in order to be secure.
An issue with IV generation has been discovered in the
SimpleSAML\Utils\Crypto::_aesEncrypt() method, where the IV
is not generated randomly but based on the first 16 bytes of the SHA256 hash of the secret given as a parameter. This
unfortunate bug has two direct implications:
- The security of the secret key is downgraded effectively from 256 bits to 128, given that the first 16 bytes were made public in the resulting IV.
- The security of the encryption is compromised due to the fact that IVs are reused if the same secret is used twice,
as it happens by default in the
SimpleSAML\Utils\Crypto::aesEncrypt()method, which uses the salt configured as the secret.
All SimpleSAMLphp versions from 1.14.0 to 1.14.11, both included.
The issue described here undermines the security of the encryption offered by the
SimpleSAML\Utils\Crypto::aesEncrypt() method, and therefore any secrets encrypted with it might be compromised by an
attacker with enough knowledge or resources.
Upgrade to the latest version.
This security issue was discovered and reported on March 29, 2017 by Chris Czub (Duo Security).