You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Artem Smotrakov (Jira)" <ji...@apache.org> on 2021/07/15 20:46:00 UTC
[jira] [Created] (OFBIZ-12281) Static initialization vectors for
encryption
Artem Smotrakov created OFBIZ-12281:
---------------------------------------
Summary: Static initialization vectors for encryption
Key: OFBIZ-12281
URL: https://issues.apache.org/jira/browse/OFBIZ-12281
Project: OFBiz
Issue Type: Bug
Reporter: Artem Smotrakov
(after discussing this on security@ofbiz.apache.org, it was decided to open an Jira issue for that)
I've noticed that OFBiz Framework sometimes uses static initialization vectors (IV) while creating a cipher:
[https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java#L776]
[https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java#L106]
IVs should be unique and ideally unpredictable to avoid producing the same ciphertexts for the same plaintexts.
The issues can be fixed with something like the following:
{code:java}
byte[] rawIV = new byte[8];
SecureRandom random = new SecureRandom();
random.nextBytes(rawIV).
IvParameterSpec iv = new IvParameterSpec(rawIV);
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)