ERC-2335 checksum does not use an HMAC
Description
The ERC-2335 container format used for storing BLS keys uses counter-mode AES (aes-128-ctr
), an unauthenticated mode of encryption, with a checksum of SHA256(key || ciphertext)
. This checksum is not a proper message authentication code (for comparison, ).
Impact
Since ERC-2335 stores data of arbitrary length, an attacker that can read and write the container could use a length extension attack on SHA-256 to append data to the ciphertext and recalculate the checksum such that it still successfully decrypts. If they get multiple opportunities to modify the container, they can also flip bits in the appended data to flip bits in the extra plaintext value, even if they cannot observe the decrypted value directly. This does not lead to a practical attack on the current use, since the contained value is a BLS12-381 scalar, which is checked to be 32 bytes by blst
during signing.
Recommendations
Enforce that the length of plaintext is as expected immediately after decryption instead of only during signing.
If using ERC-2335 for variable-length data, either prefix the plaintext with its length and check it after decryption, or ideally extend ERC-2335 to support HMAC-SHA256 as a checksum algorithm.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit 432b560e↗.