http://open-source-security-software.net/project/libsphinx/releases.atom 2024-11-15T08:49:41.960718+00:00 python-feedgen libsphinx v0.9 2018-03-07T22:18:25+00:00 This release should provide full and stable Sphinx and experimental Opaque functionality. The Opaque API might undergo some simplification before v1.0. But currently there are no other issues or outstanding features planned before a v1.0 2018-03-07T22:18:25+00:00 libsphinx v0.10 2018-03-14T14:00:31+00:00 This release contains an install target to the makefile, an updated goldilocks dependency and all public functions bearing prefixes. 2018-03-14T14:00:31+00:00 libsphinx v0.11 2021-03-24T14:53:05+00:00 Undecaffed sphinx, now solely based on sodium. also moved opaque into its own repo. 2021-03-24T14:53:05+00:00 libsphinx v1.0.0 2022-02-08T20:08:03+00:00 stable release. 2022-02-08T20:08:03+00:00 libsphinx v1.0.1 2022-10-05T17:29:30+00:00 this release includes hopefully everything to have it packaged under debian. 2022-10-05T17:29:30+00:00 libsphinx v1.0.2 2022-10-12T16:24:04+00:00 this release contains no changes, except for moving /debian into a seperate branch for debian packaging. 2022-10-12T16:24:04+00:00 libsphinx v1.1.0 2023-07-31T14:39:53+00:00 Attention! This release is backward incompatible with, it changes the function sphinx_finish() by adding one additional parameter. This release contains one security fix for the following active attack where the attacker is able to inject answers between the sphinx client and server and is additionally able to sniff the password used for authentication: client blinds password: H(p)^r - and sends it to the oracle attacker races the answer from the oracle and simply reflects back alpha to the client client unblinds and hashes the response: rwd = H(p,H(p)^(r*1/r)) attacker sniffs rwd attacker can offline bruteforce the password in this fix we enforce that the client checks in sphinx_finish() that the request send is not equal to the response. This way the attacker is forced to also include a scalar multiplication in their bruteforce attack, making it computationally more expensive. However note that an attacker returning alpha*2 or some other small multiplier will still be able to mount a significantly cheaper bruteforce attack against the master password. This is unavoidable and well-known issue and outside of the scope of SPHINX. 2023-07-31T14:39:53+00:00 libsphinx v1.1.1 2023-07-31T14:40:46+00:00 this is only for packaging and a good learning experience to not mess around with releases 2023-07-31T14:40:46+00:00