You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2021/07/20 15:32:00 UTC

[jira] [Commented] (OFBIZ-12281) Static initialization vectors for encryption

    [ https://issues.apache.org/jira/browse/OFBIZ-12281?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384342#comment-17384342 ] 

Jacques Le Roux commented on OFBIZ-12281:
-----------------------------------------

Hi Artem,

I propose this patch to fix the case for DesCrypt class  [^OFBIZ-12281.patch] 

I tested by creating a person.mothersMaidenName encrypted field through webtools. Of course any encrypted field should work.
If it's OK with you, I'll use something similar to fix the ValueLinkApi class.

Thanks again for your report

BTW I noticed that we no longer can search entities using an encrypted field. "Fortunately" OFBIZ-5659 is still open. I'll check that...



> Static initialization vectors for encryption
> --------------------------------------------
>
>                 Key: OFBIZ-12281
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12281
>             Project: OFBiz
>          Issue Type: Bug
>            Reporter: Artem Smotrakov
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: OFBIZ-12281.patch
>
>
> (after discussing this on security@ofbiz.apache.org, it was decided to open an Jira issue for that)
>  
> I've noticed that OFBiz Framework sometimes uses static initialization vectors (IV) while creating a cipher:
>  
> [https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java#L776]
>  
> [https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java#L106]
>  
> IVs should be unique and ideally unpredictable to avoid producing the same ciphertexts for the same plaintexts.
>  
> The issues can be fixed with something like the following:
> {code:java}
> byte[] rawIV = new byte[8];
> SecureRandom random = new SecureRandom();
> random.nextBytes(rawIV).
> IvParameterSpec iv = new IvParameterSpec(rawIV);
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)