You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/07/20 14:54:00 UTC
[jira] [Updated] (OFBIZ-12281) Static initialization vectors for
encryption
[ https://issues.apache.org/jira/browse/OFBIZ-12281?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-12281:
------------------------------------
Attachment: OFBIZ-12281.patch
> Static initialization vectors for encryption
> --------------------------------------------
>
> Key: OFBIZ-12281
> URL: https://issues.apache.org/jira/browse/OFBIZ-12281
> Project: OFBiz
> Issue Type: Bug
> Reporter: Artem Smotrakov
> Assignee: Jacques Le Roux
> Priority: Major
> Attachments: OFBIZ-12281.patch
>
>
> (after discussing this on security@ofbiz.apache.org, it was decided to open an Jira issue for that)
>
> I've noticed that OFBiz Framework sometimes uses static initialization vectors (IV) while creating a cipher:
>
> [https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java#L776]
>
> [https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java#L106]
>
> IVs should be unique and ideally unpredictable to avoid producing the same ciphertexts for the same plaintexts.
>
> The issues can be fixed with something like the following:
> {code:java}
> byte[] rawIV = new byte[8];
> SecureRandom random = new SecureRandom();
> random.nextBytes(rawIV).
> IvParameterSpec iv = new IvParameterSpec(rawIV);
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)