PHPCRED-18: Partially incorrect blind password doesn't raise an error



Issue Information

Issue Type: Bug
 
Priority: Major
Status: Resolved

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Fixed (2013-12-08 16:10:39)
Target version: 1.25,
Components: Crypto , Double-Blind Storage ,

Created: 2013-12-08 15:55:02
Time Spent Working


Description
When using double-blind, setting a password of Password12 and then attempting to decrypt with Pass should result in a decryption error. However, as the first character is successfully decrypted, the decryption appears to work.

Need to ensure that the entire string has correctly decrypted.


Issue Links

Toggle State Changes

Activity


Need to think of a good way to resolve this. Could add an additional indicator at the end of the string, but it's not necessarily going to make much difference - if the key has rotated (due to the length) then we might still be checking against a correct character.

A suitable additional step might be to add a checksum to the stored value, so the stored value would become


1\|..\|(base64 pass)\|..\|(checksum)


Commit a3559cf implements a checksum operation to verify that the correct pass has been provided.
btasker changed status from 'Open' to 'Resolved'
btasker added 'Fixed' to resolution
btasker added '1.25' to Fix Version
btasker removed '1.5' from Fix Version