WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: bcrypt used to encrypt mydata.bfe uses ECB  (Read 2104 times)

Offline adb014

  • Newbie
  • *
  • Posts: 16
bcrypt used to encrypt mydata.bfe uses ECB
« on: February 06, 2023, 04:06:38 PM »
Looking at the debian bug report and their solution (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700758) it seems that bcrypt is seriously broken. As it used Electronic Code Book for its operation mode, it encrypts the same blocks of data to the same value. An example of the problem can easily be seen on the wikipedia page [ https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) ]. Could bcrypt be replaced with ccrypt (https://ccrypt.sourceforge.net) that uses AES256 with a CFB operation mode for the stream cipher and SHA1 for the password hash ?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11044
Re: bcrypt used to encrypt mydata.bfe uses ECB
« Reply #1 on: February 07, 2023, 02:35:58 AM »
We mainly use bcrypt for extension submission, to work around gmail filtering. The backup encryption is not meant against nation states really, so as such a weakness in the encryption is not a big issue.
The only barriers that can stop you are the ones you create yourself.

Offline adb014

  • Newbie
  • *
  • Posts: 16
Re: bcrypt used to encrypt mydata.bfe uses ECB
« Reply #2 on: February 08, 2023, 11:08:14 AM »
Frankly you hardly need to be a nation state to crack any block cipher that is made into a stream cipher using ECB... But ok, its noted, "don't rely of mydata.bfe being secure"