An IV reuse bug was discovered in Ruby's OpenSSL library when using aes-gcm. When encrypting data with aes-*-gcm, if the IV is set before setting the key, the cipher will default to using a static IV. This creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues. References: http://seclists.org/oss-sec/2016/q3/562 Upstream bug: https://github.com/ruby/openssl/issues/49 Upstream patch: https://github.com/ruby/openssl/commit/8108e0a6db133f3375608303fdd2083eb5115062
Created ruby tracking bugs for this issue: Affects: fedora-all [bug 1381527]
Analysis: As explained in https://github.com/ruby/openssl/issues/49#issuecomment-248171371 Calling cipher.key after calling cipher.iv zeros out the value of the iv, resulting in a possibly weak cryptographic operation. Mitigation: A possible workaround to this flaw is, when using aes-256-gcm mode, always set the key first and then the iv. For example when setting random keys and iv use the following code segment: key = cipher.random_key iv = cipher.random_iv