Nextcloud: Reduced purmations on encryption

OC\Security\SecureRandom::generate

Reduced Permutations

OC\Security\SecureRandom::generate will by default use a-Z0-9+/ (64 bytes) character set. The numbers are not predictable, due to the use of random_int.

Most notably the OC\Security\Crypto::encrypt method uses an IV with a length of 16 bytes. It is chosen randomly via OC\Security\SecureRandom::generate with the default character set. There are 256 possible bytes, but in this case it is actually 64 bytes. The permutations is 64^16 (instead of 256^16), which equates to a 12-byte, or 96-bit IV (instead of the expected 16-byte, or 128-bit IV). Use raw bytes when doing cryptographic operations, via random_bytes.

Do not use OC\Security\Crypto::generate for cryptographic keys.

Cache Timing Attacks

It is potentially vulnerable to cache timing attacks because the secret number is used as an index to look up a byte value in string. Read more about cache-timing attacks here.

Impact

1. Reduced permutations increase the chances of IV re-use (which can destroy confidentially), and bring encryption key strength down (chances are still too low with a 256-bit encryption key).

2. If the complex cache timing attack vector exists, and is abused: it is possible to determine secret values generated with OC\Security\SecureRandom::generate.