The Dangers of using ChatGPT for Coding: Flipping Bits in Ciphers and Why MACs Are So Important
I did a code review recently, and I noticed that the code was using AES with CBC (Cipher Block Chaining) mode. It involved saving encrypted data to database, and it just looked like copy-and-paste code. So, I took the database, and flipped a few bits, and showed the developer that I had changed the values of the transaction.
“How did you do that?”, “Well, I flipped some bits!”, “But, it is encrypted”, “You do not have a MAC to check”, “What’s a MAC?”. “Where is you get the code?”, “I got it from ChatGPT”.
I stopped there, and was worried about the rest of the software. I then asked whether they knew how CBC worked, and was met with a blank face.
So I produced this code to illustrate [here]:
from base64 import b64decode
from base64 import b64encode
import os
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes
from Crypto.Util.Padding import pad, unpad
import binascii
import sys
def encrypt(key,data,iv):
cipher = AES.new(key, AES.MODE_CBC, iv)
return b64encode(iv +cipher.encrypt(pad(data, AES.block_size)))
def decrypt(key, data):
raw = b64decode(data)
cipher = AES.new(key, AES.MODE_CBC, raw[:AES.block_size])
return…