Tiny Core Base > TCB Bugs

bcrypt used to encrypt mydata.bfe uses ECB


Looking at the debian bug report and their solution (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700758) it seems that bcrypt is seriously broken. As it used Electronic Code Book for its operation mode, it encrypts the same blocks of data to the same value. An example of the problem can easily be seen on the wikipedia page [ https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB) ]. Could bcrypt be replaced with ccrypt (https://ccrypt.sourceforge.net) that uses AES256 with a CFB operation mode for the stream cipher and SHA1 for the password hash ?

We mainly use bcrypt for extension submission, to work around gmail filtering. The backup encryption is not meant against nation states really, so as such a weakness in the encryption is not a big issue.

Frankly you hardly need to be a nation state to crack any block cipher that is made into a stream cipher using ECB... But ok, its noted, "don't rely of mydata.bfe being secure"


[0] Message Index

Go to full version