201703-02

Incorrect IV generation for encryption

Background

Block ciphers make use of random, unique values in order to initialize the algorithm when there is a feedback from one round to the next. Those values are commonly known as Initialization Vectors or IVs. IVs are public (they are attached to the resulting ciphertext) and therefore they must never be reused, and must be generated by a proper Cryptographically Secure Pseudo Random Number Generator (CSPRNG) in order to be secure.

Description

An issue with IV generation has been discovered in the SimpleSAML\Utils\Crypto::_aesEncrypt() method, where the IV is not generated randomly but based on the first 16 bytes of the SHA256 hash of the secret given as a parameter. This unfortunate bug has two direct implications:

• The security of the secret key is downgraded effectively from 256 bits to 128, given that the first 16 bytes were made public in the resulting IV.
• The security of the encryption is compromised due to the fact that IVs are reused if the same secret is used twice, as it happens by default in the SimpleSAML\Utils\Crypto::aesEncrypt() method, which uses the salt configured as the secret.

Affected versions

All SimpleSAMLphp versions from 1.14.0 to 1.14.11, both included.

Impact

The issue described here undermines the security of the encryption offered by the SimpleSAML\Utils\Crypto::aesEncrypt() method, and therefore any secrets encrypted with it might be compromised by an attacker with enough knowledge or resources.

Resolution

Upgrade to the latest version.

Credit

This security issue was discovered and reported on March 29, 2017 by Chris Czub (Duo Security).