[Owasp-board] Fwd: [phpsec] confidentialString function uses hard-coded key (#108)

johanna curiel curiel johanna.curiel at owasp.org
Wed Nov 25 15:47:27 UTC 2015


This is why higher criteria and revision is needed for defender library
projects

See comment of user.

https://github.com/OWASP/phpsec/issues/108#issuecomment-159637148

---------- Forwarded message ----------
From: Scott <notifications at github.com>
Date: Wed, Nov 25, 2015 at 11:14 AM
Subject: Re: [phpsec] confidentialString function uses hard-coded key (#108)
To: OWASP/phpsec <phpsec at noreply.github.com>
Cc: owaspjocur <johanna.curiel at owasp.org>


Oh my god OWASP, why are you shipping your own broken cryptography library?

https://github.com/OWASP/phpsec/blob/3d3f1a99736d72e7fd850690585e9e5bb1063515/libs/crypto/confidentialstring.php#L133

Hey, I heard you like PHP Object Injection from chosen-ciphertext attacks,
because you're not authenticating your ciphertext at all.

   -
   https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly
   -
   https://paragonie.com/blog/2015/05/if-you-re-typing-word-mcrypt-into-your-code-you-re-doing-it-wrong

I really hope nobody uses this, and instead opts for a sane authenticated
encryption library, such as defuse/php-encryption
<https://github.com/defuse/php-encryption>.

—
Reply to this email directly or view it on GitHub
<https://github.com/OWASP/phpsec/issues/108#issuecomment-159637148>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151125/220e9da7/attachment.html>


More information about the Owasp-board mailing list