crypto,doc: update language regarding key stretching #19810
Conversation
nodejs-github-bot
added
crypto
doc/api/crypto.md
Outdated
| @@ -1365,6 +1365,8 @@ The `key` is the raw key used by the `algorithm` and `iv` is an | |||
| [Buffers][`Buffer`], `TypedArray`, or `DataView`s. If the cipher does not need | |||
| an initialization vector, `iv` may be `null`. | |||
|
|
|||
| An initialization vector should be unpredictable; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages in plaintext. It may sound contradictory that something has to be unpredictable, but doesn’t have to be secret; it’s important to remember that an attacker must not be able to predict ahead of time what a given IV will be. | |||
There was a problem hiding this comment.
Lines need to be wrapped at 80 characters.
There was a problem hiding this comment.
aren't they? strange. I'll do that promptly, sorry.
There was a problem hiding this comment.
oh, wait. It's just one single huge line.
doc/api/crypto.md
Outdated
| @@ -1437,6 +1439,8 @@ The `key` is the raw key used by the `algorithm` and `iv` is an | |||
| [Buffers][`Buffer`], `TypedArray`, or `DataView`s. If the cipher does not need | |||
| an initialization vector, `iv` may be `null`. | |||
|
|
|||
| An initialization vector should be unpredictable; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages in plaintext. It may sound contradictory that something has to be unpredictable, but doesn’t have to be secret; it’s important to remember that an attacker must not be able to predict ahead of time what a given IV will be. | |||
doc/api/crypto.md
Outdated
| @@ -1365,6 +1365,8 @@ The `key` is the raw key used by the `algorithm` and `iv` is an | |||
| [Buffers][`Buffer`], `TypedArray`, or `DataView`s. If the cipher does not need | |||
| an initialization vector, `iv` may be `null`. | |||
|
|
|||
| An initialization vector should be unpredictable; ideally, they will be cryptographically random. They do not have to be secret: IVs are typically just added to ciphertext messages in plaintext. It may sound contradictory that something has to be unpredictable, but doesn’t have to be secret; it’s important to remember that an attacker must not be able to predict ahead of time what a given IV will be. | |||
There was a problem hiding this comment.
An initialization vector -> Initialization vectors?
Or
they will be -> it will be, They do not have -> It does not have?
ryzokuken
force-pushed
the
docs/crypto-iv
branch
from
319f357 to
553e1bb
Compare
|
@tniessen @vsemozhetbyt fixed. |
vsemozhetbyt
added
fast-track
doc/api/crypto.md
Outdated
| @@ -1365,6 +1365,13 @@ The `key` is the raw key used by the `algorithm` and `iv` is an | |||
| [Buffers][`Buffer`], `TypedArray`, or `DataView`s. If the cipher does not need | |||
| an initialization vector, `iv` may be `null`. | |||
|
|
|||
| Initialization vectors should be unpredictable; ideally, they will be | |||
There was a problem hiding this comment.
This really depends on the cipher block mode, some work fine even with predictable IVs. What is much more important is that IVs are unique and that their value cannot be influenced by an attacker.
There was a problem hiding this comment.
You're right. How should I better communicate this, in your opinion?
I (among a lot of other people, I'm sure), prefer to keep the IV unpredictable (cryptographically random) anyway. Better be safe than be sorry, I guess.
There was a problem hiding this comment.
Maybe should be unpredictable and unique? That's not always true, but as you said, better safe than sorry.
There was a problem hiding this comment.
Sure, I'll add unique. I think that was exactly what @bnoordhuis wanted to communicate as well.
doc/api/crypto.md
Outdated
| cryptographically random. They do not have to be secret: IVs are typically just | ||
| added to ciphertext messages in plaintext. It may sound contradictory that | ||
| something has to be unpredictable, but doesn’t have to be secret; it’s | ||
| importantto remember that an attacker must not be able to predict ahead of time |
There was a problem hiding this comment.
Missing space in importantto. Actually, I am not sure what this sentence is supposed to say apart from what the previous said.
There was a problem hiding this comment.
It may sound contradictory that something has to be unpredictable, but does not have to be secret; it is important to remember that an attacker must not be able to predict ahead of time what a given IV will be.
Emphasis on ahead of time here. While the IV does not have to be (and mostly isn't) secret, It needs to be unpredictable. It can be as obvious as it could be in hindsight, but it's important that the attack should not be able to predict it ahead of time.
I hope that makes my stance clearer? I'm willing to chop this down if you don't find it up to the mark?
There was a problem hiding this comment.
No strong opinion here, I am okay with or without the sentence. (Just remember that it is not entirely true for all block cipher modes.)
There was a problem hiding this comment.
My personal standard here is that in case of ambiguity (here: the exact block cipher being used), we should go with the most secure solution which would work well with all of the alternatives, and I think the current definition works for all of the ciphers we're supporting.
That said, my knowledge of both the crypto subsystem and the Node crypto ecosystem are substantially less than yours, and I'd trust your instincts on this.
doc/api/crypto.md
Outdated
| Initialization vectors should be unpredictable; ideally, they will be | ||
| cryptographically random. They do not have to be secret: IVs are typically just | ||
| added to ciphertext messages in plaintext. It may sound contradictory that | ||
| something has to be unpredictable, but doesn’t have to be secret; it’s |
There was a problem hiding this comment.
doesn't → does not, it's → it is.
tniessen
removed
author ready
ryzokuken
force-pushed
the
docs/crypto-iv
branch
2 times, most recently
from
b944ecc to
e283a51
Compare
doc/api/crypto.md
Outdated
| @@ -1365,6 +1365,13 @@ The `key` is the raw key used by the `algorithm` and `iv` is an | |||
| [Buffers][`Buffer`], `TypedArray`, or `DataView`s. If the cipher does not need | |||
| an initialization vector, `iv` may be `null`. | |||
|
|
|||
| Initialization vectors should be unpredictable; ideally, they will be | |||
| cryptographically random. They do not have to be secret: IVs are typically just | |||
| added to ciphertext messages in plaintext. It may sound contradictory that | |||
There was a problem hiding this comment.
Maybe don't say 'plaintext' here, that has a specific meaning in crypto speak.
There was a problem hiding this comment.
Okay. I meant, it's sent "in the plain", or more precisely, unencrypted. I'll substitute "in plaintext" with "unencrypted". Is that better?
ryzokuken
force-pushed
the
docs/crypto-iv
branch
from
e283a51 to
24bbcdb
Compare
doc/api/crypto.md
Outdated
| Initialization vectors should be unpredictable; ideally, they will be | ||
| cryptographically random. They do not have to be secret: IVs are typically just | ||
| added to ciphertext messages unencrypted. It may sound contradictory that | ||
| something has to be unpredictable and unique, but does not have to be secret; |
There was a problem hiding this comment.
Could you move and unique to the beginning (the first sentence)? It really is the most important property of an IV, compared to that, predictability has very limited attack vectors.
There was a problem hiding this comment.
It doesn't make too much sense not using the word unique in this sentence, does it? I'll definitely add it to the beginning as well.
There was a problem hiding this comment.
It doesn't hurt to have it twice, but it should definitely be in the beginning 👍
Update the docs to provide clearer instructions regarding the exact scope of the use (and re-use) of an IV, stating the instructions explicitly with greater clarity. Fixes: nodejs#19748
ryzokuken
force-pushed
the
docs/crypto-iv
branch
from
24bbcdb to
7a881d9
Compare
tniessen
added
the
author ready
|
(Subsystem should probably just be |
|
I agree. I had been thinking the same, but went with both because of the
original issue.
…On Thu 5 Apr, 2018, 4:24 PM Tobias Nießen, ***@***.***> wrote:
(Subsystem should probably just be doc.)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#19810 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMg3Mq-Is6P_L3vXoMX2sBtXGDrih-Kcks5tlffZgaJpZM4THe0k>
.
|
|
@tniessen is this landable now? |
|
@ryzokuken Yes, as soon as 48 hours have passed :) |
|
Great!
…On Fri 6 Apr, 2018, 10:50 PM Tobias Nießen, ***@***.***> wrote:
@ryzokuken <https://github.com/ryzokuken> Yes, as soon as 48 hours have
passed :)
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#19810 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMg3MkIgInhEV_MEnZYAIPuXciHBpBflks5tl6PzgaJpZM4THe0k>
.
|
|
Landed in 0a67932. |
Update the docs to provide clearer instructions regarding the exact scope of the use (and re-use) of an IV, stating the instructions explicitly with greater clarity. PR-URL: #19810 Fixes: #19748 Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update the docs to provide clearer instructions regarding the exact scope of the use (and re-use) of an IV, stating the instructions explicitly with greater clarity. PR-URL: #19810 Fixes: #19748 Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Update the docs to provide clearer instructions regarding the exact scope
of the use (and re-use) of an IV, stating the instructions explicitly with
greater clarity.
Fixes: #19748
Checklist
/cc @bnoordhuis @tniessen