PHPCRED-18: Partially incorrect blind password doesn't raise an error

Issue Information

Issue Type: Bug
 
Priority: Major
Status: Resolved

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PHPCredlocker (PHPCRED)
Resolution: Fixed (2013-12-08 16:10:39)
Target version: 1.25,
Components: Crypto , Double-Blind Storage ,

Created: 2013-12-08 15:55:02
Time Spent Working


Description
When using double-blind, setting a password of Password12 and then attempting to decrypt with Pass should result in a decryption error. However, as the first character is successfully decrypted, the decryption appears to work.

Need to ensure that the entire string has correctly decrypted.


Issue Links

relates to PHPCRED-11: Double Blind Encryption
Toggle State Changes

Activity


2013-12-08 16:10:03
Need to think of a good way to resolve this. Could add an additional indicator at the end of the string, but it's not necessarily going to make much difference - if the key has rotated (due to the length) then we might still be checking against a correct character.

A suitable additional step might be to add a checksum to the stored value, so the stored value would become


1\|..\|(base64 pass)\|..\|(checksum)



2013-12-08 16:10:34
Commit a3559cf implements a checksum operation to verify that the correct pass has been provided.

2013-12-08 16:10:39
btasker changed status from 'Open' to 'Resolved'

2013-12-08 16:10:39
btasker added 'Fixed' to resolution

2013-12-08 16:34:33
btasker added '1.25' to Fix Version

2013-12-08 16:34:33
btasker removed '1.5' from Fix Version