Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

README: Specify handling of symmetric key in "Under the Hood". #19

Open
yareckon opened this issue May 28, 2021 · 1 comment
Open

README: Specify handling of symmetric key in "Under the Hood". #19

yareckon opened this issue May 28, 2021 · 1 comment

Comments

@yareckon
Copy link

Since you obviously aren't just sending the used symmetric key along unecrypted, there is a step or two in the "Under the Hood" part of the README that is missing to describe it being encrypted again using the public key (I imagine). Not many folks will need that info, but you do have an "Under the Hood" section, and it should be complete.

@paragonie-security
Copy link
Contributor

paragonie-security commented Jan 19, 2022

The section in question says (with our emphasis):

  • Encryption (KEM+DEM)
    • Generates an random secret value
    • Encrypts the random secret value with your RSA public key, using PHPSecLib
      (RSAES-OAEP + MGF1-SHA256)
    • Derives an encryption key from the secret value and its RSA-encrypted ciphertext,
      using HMAC-SHA256.
    • Encrypts your plaintext message using defuse/php-encryption
      (authenticated symmetric-key encryption)
    • Calculates a checksum of both encrypted values (and a version tag)
  • Authentication
    • Signs a message using PHPSecLib (RSASS-PSS + MGF1-SHA256)

That's the symmetric key (in bold). It's not transmitted; it must be recalculated by the recipient. In order to recalculate the same value, you must be able to decrypt the RSA ciphertext (first step), then HMAC the RSA plaintext with the RSA ciphertext. Only then can you decrypt the actual plaintext.

This strategy is an all-or-nothing derivation, which means you can't exploit padding oracles (provided the subsequent steps are constant-time).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants