EncryptedType uses static IV per key #166

rpicard · 2015-10-06T20:56:40Z

EncryptedType uses AES in CBC mode. The IV that it uses is not random though.

https://github.com/kvesteri/sqlalchemy-utils/blob/master/sqlalchemy_utils/types/encrypted.py#L56

Given a single key, it will use the SHA256 hash of that key for all encryption. It looks like it will use the first 16 bytes of that hash as the IV for each operation.

This link is a good primer on why this is bad: http://security.stackexchange.com/a/1097

mehcode · 2015-10-07T16:28:14Z

From what I understand we do it this way so that encrypt("b") == encrypt("b") to allow for queryability of encrypted values. There is the https://github.com/kvesteri/sqlalchemy-utils/blob/master/sqlalchemy_utils/types/encrypted.py#L94 which uses (from the documentation):

AES in CBC mode with a 128-bit key for encryption; using PKCS7 padding.
HMAC using SHA256 for authentication.
Initialization vectors are generated using os.urandom().

If you're suggesting that the Fernet engine be the default I'd honestly be fine with that as long as we push it out as a minor version bump.

rpicard · 2015-10-07T21:21:07Z

Making the Fernet engine the default sounds good to me. Getting the HMAC for free is a win too.

rpicard · 2015-10-07T21:22:16Z

With that said, if AesEngine is kept around it should still be fixed.

mehcode · 2015-10-07T23:42:39Z

With that said, if AesEngine is kept around it should still be fixed.

Except it's done that way to allow querying. Depending on the why of your encryption it may be fine.

rpicard · 2015-10-07T23:48:23Z

Using a static IV per key compromises security. If users are willing to accept that to gain the convenience it provides, then that's up to them. If you want to facilitate that it's up to you. If that's your decision, my opinion is that the documentation should make it clear beyond any question that using those features reduces the security of the system.

That's my point of view. Remediate this as you see fit. 👍

mehcode · 2015-10-07T23:58:34Z

I'm going to recommend (and then probably not get time to do it for a while so if anyone wants to jump in it'd be appreciated):

Remove user-configured engine selection (we only have two and they are both AES) and default to an internal selection of the Fernet engine
Add a property (named along the lines of reproducible or queryable) that switches to the as-standing AesEngine
Add a warning block in the documentation that explains what the security risk is.

I agree that leaking a database encrypted with static IVs would allow a line of reasoning about the encrypted data that otherwise wouldn't exist (for instance, if we were talking about salaries of employees you could see that 2 people make the same amount). But I don't agree that its broken. Security is a matter of degree. Normally only data that should be encrypted gets encrypted. However if your client instructs you to encrypt the world, no matter what, then allowing some data to be queryable is a thing that would need to happen.

konstantinoskostis · 2016-04-20T10:04:56Z

@mehcode , @rpicard hello and i am very sorry i am responding so late. First i would like to say that all of your above comments are absolutely correct. To be honest when i started the EncryptedType i wanted to give users the possibility to also query values in the DB and that is why the IV is not randomly generated. It was just a decision, maybe a wrong one... When i have the time i will try to make the changes proposed by @mehcode in the above comment.

MichaelCG8 · 2021-02-03T10:53:20Z

So it's been a little over 5 years since this ticket was opened, so here's a summary of updates that I've noticed when looking at this.

This ticket was opened when the latest release was 0.31.0, and we're now on 0.36.8.

The file https://github.com/kvesteri/sqlalchemy-utils/blob/0.31.0/sqlalchemy_utils/types/encrypted.py has been replaced by the directory https://github.com/kvesteri/sqlalchemy-utils/tree/master/sqlalchemy_utils/types/encrypted/

The classes AesEngine and FernetEngine still exist, and there is a new AesGcmEngine.

AesEngine and AesGcmEngine have docstrings explaining that the former allows searching by value of an encrypted column, but is less secure than the latter, which does not allow this searching. The Fernet docstring does not mention that it does not enable this searching.

In the SQLAlchemy-Utils docs, the only mention of encryption is in https://sqlalchemy-utils.readthedocs.io/en/latest/data_types.html#module-sqlalchemy_utils.types.encrypted.encrypted_type which does not have a docstring so the user will need to look at the source code without prompting to see the docstrings of the engines and to see that AesEngine is the default. It used to have a docstring but it now inherits from StringEncryptedType and the docstring has been moved there. StringEncryptedType does not appear in the documentation apart from in the source code. It looks like the docstring wasn't updated though when it was moved from StringEncryptedType to EncryptedType, so it is still using EncryptedType in it's example code rather than StringEncryptedType.

The changes proposed by @mehcode still look appropriate to me, with the addition that the documentation should make clear that EncryptedType inherits from StringEncryptedType and the docstring of StringEncryptedType should be available in the documentation with some notes about the engines.

Neither databases or encryption are my domain, but this seems fairly simple so I'll have a go at it this weekend.

Is anyone aware of any part of https://github.com/sqlalchemy/sqlalchemy or related projects that could use documentation updates based on this?

MichaelCG8 · 2021-02-14T18:05:06Z

Pull request opened. #499
I ended up keeping the engine parameter so that when queryable is False the user has the choice of AesGcmEngine and FernetEngine with the latter being the default. If engine is specified it must be compatible with the value of queryable.

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 18 packages, using default DB | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.36.3 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ ```

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 118 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pycryptodome | 3.10.3 | <3.11.0 | 42084 | +==============================================================================+ | Pycryptodome version 3.11.0 includes a fix for the DSA construction | | algorithm. Modulus "p" primality check wasn't working. | | Legrandin/pycryptodome@183f8d1c7a5e145e7 | | 8b86fb54da7e327a277d9c6 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ | sqlalchemy-utils | 0.36.8 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ ```

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 18 packages, using default DB | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.36.3 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ ```

+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 105 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.36.8 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 105 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.36.8 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ ```

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 57 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.38.2 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ ```

Ignore CVE on sqlalchemy-utils, angular-gettext-tools Remove CWE ignore ``` Title: [1059620] Inefficient Regular Expression Complexity in nth-check Severity: moderate CWE: ["CWE-1333"] Vulnerable versions: <2.0.1 Patched versions: >=2.0.1 Recommendation: Upgrade to version 2.0.1 or later Version: 1.0.2 Path: angular-gettext-tools > cheerio > css-select > nth-check More info: GHSA-rp65-9cf3-cjxr +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 136 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.38.2 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ ```

``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 54 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | sqlalchemy-utils | 0.38.2 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | | kvesteri/sqlalchemy-utils#499 | +==============================================================================+ | ujson | 5.1.0 | <=5.1.0 | 46499 | +==============================================================================+ | UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in | | Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for | | example, use a large amount of indentation. | +==============================================================================+ ```

tucked · 2022-12-06T18:53:28Z

Looks like the move was called out above, but here are permalinks...
The original link:

sqlalchemy-utils/sqlalchemy_utils/types/encrypted.py

Line 56 in 4a9b7c7

self.iv = self.secret_key[:16]

The current location of the same code:

sqlalchemy-utils/sqlalchemy_utils/types/encrypted/encrypted_type.py

Line 82 in 5c4ca8c

self.iv = self.secret_key[:16]

pipenv check trips on this: https://pyup.io/v/42194/742/

Anyone know of a suitable replacement until this is fixed?

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

rpicard mentioned this issue Oct 6, 2015

Certificates encrypted with static IV per key Netflix/lemur#117

Closed

lnielsen mentioned this issue Dec 3, 2015

global: initial refactoring inveniosoftware/invenio-oauth2server#15

Merged

4 tasks

MichaelCG8 mentioned this issue Feb 14, 2021

issue-166 selecting encryption engine based on queryable parameter #499

Open

fmigneault mentioned this issue Oct 27, 2021

disable pyup notification about vulnerability of sqlalchemy_utils Ouranosinc/Magpie#482

Merged

olliemath mentioned this issue Nov 1, 2021

Safety check failure: vulnerability ID 42194 #556

Open

rsyring mentioned this issue Nov 11, 2021

safety CI check is flagging SQLAlchemy utils as having a vulnerability level12/keg-app-cookiecutter#156

Open

Ruslan-Skira mentioned this issue Feb 9, 2022

safety check is done successfully but exit code is 255 pyupio/safety#360

Closed

tucked added a commit to tucked/pbnh that referenced this issue Feb 18, 2023

Remove sqlalchemy-utils

14aceb3

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 20, 2023

Remove sqlalchemy-utils

134f650

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 21, 2023

Remove sqlalchemy-utils

e90ca53

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 21, 2023

Remove sqlalchemy-utils

1e5f96c

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 22, 2023

Remove sqlalchemy-utils

019a12b

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 25, 2023

Remove sqlalchemy-utils

524e07d

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 28, 2023

Remove sqlalchemy-utils

56c404d

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

tucked added a commit to tucked/pbnh that referenced this issue Feb 28, 2023

Remove sqlalchemy-utils

341c14e

- Vulnerability not addressed for years: kvesteri/sqlalchemy-utils#166 - No bandit on prod code. - ZeroVer

fmigneault mentioned this issue Aug 31, 2023

[Security] Update sqlalchemy_utils Ouranosinc/Magpie#523

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

EncryptedType uses static IV per key #166

EncryptedType uses static IV per key #166

rpicard commented Oct 6, 2015

mehcode commented Oct 7, 2015

rpicard commented Oct 7, 2015

rpicard commented Oct 7, 2015

mehcode commented Oct 7, 2015

rpicard commented Oct 7, 2015

mehcode commented Oct 7, 2015

konstantinoskostis commented Apr 20, 2016

MichaelCG8 commented Feb 3, 2021

MichaelCG8 commented Feb 14, 2021

tucked commented Dec 6, 2022

EncryptedType uses static IV per key #166

EncryptedType uses static IV per key #166

Comments

rpicard commented Oct 6, 2015

mehcode commented Oct 7, 2015

rpicard commented Oct 7, 2015

rpicard commented Oct 7, 2015

mehcode commented Oct 7, 2015

rpicard commented Oct 7, 2015

mehcode commented Oct 7, 2015

konstantinoskostis commented Apr 20, 2016

MichaelCG8 commented Feb 3, 2021

MichaelCG8 commented Feb 14, 2021

tucked commented Dec 6, 2022