github-starred/Socio
2
0
Fork 0
mirror of https://github.com/Rolands-Laucis/Socio.git synced 2026-05-15 06:05:53 -06:00
Code Issues Projects Packages Wiki Activity Actions

[GH-ISSUE #2] Potential issues #2

New issue
Closed
opened 2026-05-05 03:20:43 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 03:20:43 -06:00
Owner
Copy link

Originally created by @KaruroChori on GitHub (Feb 4, 2023).
Original GitHub issue: https://github.com/Rolands-Laucis/Socio/issues/2

Hi, just my two cents on what could be a potential security issue with your current model.
It is possible it has been addressed already, or it is taken care implicitly, I do not know the details of your implementation.

In principle, we can perform attacks on the secret key if we can guess some queries (known-plaintext attack).
Queries are quite low entropy as they are written in a regular language and their structure follows rationale principles.
This can be mitigated by adding random characters to them, which are later dropped in the back-end.

Originally created by @KaruroChori on GitHub (Feb 4, 2023). Original GitHub issue: https://github.com/Rolands-Laucis/Socio/issues/2 Hi, just my two cents on what could be a potential security issue with your current model. It is possible it has been addressed already, or it is taken care implicitly, I do not know the details of your implementation. In principle, we can perform attacks on the secret key if we can guess some queries (known-plaintext attack). Queries are quite low entropy as they are written in a regular language and their structure follows rationale principles. This can be mitigated by adding random characters to them, which are later dropped in the back-end.
gitea-mirror commented 2026-05-05 03:20:47 -06:00
Author
Owner
Copy link

@Rolands-Laucis commented on GitHub (Feb 4, 2023):

Heyo, thanks for the interest and concern.

I've been wondering about the same thing for a while. I do append a random 1k-10k integer at the end of each of them just in case. Would that be enough? You can refer to my thread on cryptography stack exchange about this: https://crypto.stackexchange.com/questions/103505/is-there-a-standard-way-of-scrambling-the-output-of-aes/103509#103509 . As I understand it, as long as the IV is unique, my scrambled data retains the 3 attributes of Confidentiality, Integrity and Authenticity. It is unique, since half of the IV is incremental and the other is random.

If you are knowledgeable on the subject, could you perhaps take a look at the implementation in core/secure.ts to spot insecurities? As I am quite new to cryptography.

<!-- gh-comment-id:1416835036 --> @Rolands-Laucis commented on GitHub (Feb 4, 2023): Heyo, thanks for the interest and concern. I've been wondering about the same thing for a while. I do append a random 1k-10k integer at the end of each of them just in case. Would that be enough? You can refer to my thread on cryptography stack exchange about this: https://crypto.stackexchange.com/questions/103505/is-there-a-standard-way-of-scrambling-the-output-of-aes/103509#103509 . As I understand it, as long as the IV is unique, my scrambled data retains the 3 attributes of Confidentiality, Integrity and Authenticity. It is unique, since half of the IV is incremental and the other is random. If you are knowledgeable on the subject, could you perhaps take a look at the implementation in core/secure.ts to spot insecurities? As I am quite new to cryptography.
gitea-mirror commented 2026-05-05 03:20:47 -06:00
Author
Owner
Copy link

@KaruroChori commented on GitHub (Feb 5, 2023):

Sorry, wrong person! I am a computational biologist, not a cryptologist. I cannot really help much with that.

By the way, I really like the idea behind your project. I am keen to see how it develops.

<!-- gh-comment-id:1417201899 --> @KaruroChori commented on GitHub (Feb 5, 2023): Sorry, wrong person! I am a computational biologist, not a cryptologist. I cannot really help much with that. By the way, I really like the idea behind your project. I am keen to see how it develops.
gitea-mirror commented 2026-05-05 03:20:48 -06:00
Author
Owner
Copy link

@Rolands-Laucis commented on GitHub (Feb 22, 2023):

This has been fixed in version 0.6 with the suggestion of adding random numbers throughout the SQL string, which are removed after decryption.

<!-- gh-comment-id:1440387472 --> @Rolands-Laucis commented on GitHub (Feb 22, 2023): This has been fixed in version 0.6 with the suggestion of adding random numbers throughout the SQL string, which are removed after decryption.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

No labels
help wanted
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/Socio#2
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?