Am Dienstag, den 15.01.2019, 15:20 +0100 schrieb Florian Weimer:
* Simo Sorce:
> > Maybe the stub implementation should just overwrite the argument
> > with
> > zeros.
>
> I wouldn't overwrite with zeros because then it is clear the
> encryption
> failed and if it is used in non-orthodox ways could give an attacker
> a
> way to exploit the zeroing.
>
> (for example if someone uses it to encrypt a password, instead of
> hashing it and then compare to some stored value, then zeroing might
> be
> a bad choice as all invocations will always return the same value
> and
> would always compare "right")
That's a fair point. Overwriting with random data seems better.
(There's precedent for doing that on decryption failures, too.)
Thanks,
Florian
Thanks for the thoughts and a easy solution, guys! I've updated the
description and documentation of the proposal accordingly:
The encrypt{,_r} function will - for security reasons - additionally
overwrite the data-block argument with random data.
Björn