Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Anyone with old encrypted backups? - New authenticated encryption mode
« previous
next »
Print
Pages: [
1
]
Author
Topic: Anyone with old encrypted backups? - New authenticated encryption mode (Read 2552 times)
oittaa
Newbie
Posts: 1
Karma: 1
Anyone with old encrypted backups? - New authenticated encryption mode
«
on:
April 02, 2022, 08:02:47 pm »
Hello,
Since the current backup scheme (AES-256-CBC encrypted, SHA512 key derivation) doesn't have any authentication/integrity functionality added to it, which can be bad[1][2], I decided to make a pull request[3] that upgrades to a more modern scheme AES-256-GCM (Galois/Counter Mode). The pull request additionally removes the shell invocations that used openssl command line tool and just uses native PHP functions like openssl_encrypt() and openssl_decrypt().
I have tested that my new methods are compatible with openssl command line tool, and with the current encryption and key derivation scheme, but I don't have any older style backups (MD5 key derivation) since I'm pretty new OPNsense user. It would be great if someone with the older MD5 derived keys could test it. That way we could see that it really works end to end.
Steps needed.
1. Install (or have) a fully updated OPNsense on a virtual machine or on a real hardware.
2. Replace src/opnsense/mvc/app/library/OPNsense/Backup/Base.php file with this one
https://raw.githubusercontent.com/opnsense/core/c67e016ad6b8e84f672e11f0d1de65316bcfb134/src/opnsense/mvc/app/library/OPNsense/Backup/Base.php
3. Try to restore an encrypted backup, which uses MD5 key derivation.
4. Success!
Thanks!
[1]:
https://moxie.org/2011/12/13/the-cryptographic-doom-principle.html
[2]:
https://soatok.blog/2020/07/12/comparison-of-symmetric-encryption-methods/#aes-gcm-vs-aes-cbc
[3]:
https://github.com/opnsense/core/pull/5665
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Anyone with old encrypted backups? - New authenticated encryption mode