Encrypted message lengths are trivially leaked #4140
Comments
sdbondi
added a commit
to sdbondi/tari
that referenced
this issue
Aug 4, 2022
* development: fix: wallet database encryption does not bind to field keys tari-project#4137 (tari-project#4340) fix: use SafePassword struct instead of String for passwords (tari-project#4320) feat(dan): template macro handles component state (tari-project#4380) fix(dht)!: add message padding for message decryption, to reduce message length leaks (fixes tari-project#4140) (tari-project#4362) fix(wallet): update seed words for output manager tests (tari-project#4379)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Message encryption and decryption are performed using the
ChaCha20stream cipher. Because no padding is applied, the length of encrypted messages is trivially leaked, and is equal to the length of the resulting ciphertext. Additionally, header data like the message type is sent in the clear. An adversary may be able to infer additional information from this.Mitigations include:
It's important to ensure that no padding-related attacks are introduced by such mitigations.
The text was updated successfully, but these errors were encountered: