You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Artem Smotrakov (Jira)" <ji...@apache.org> on 2021/07/15 20:46:00 UTC

[jira] [Created] (OFBIZ-12281) Static initialization vectors for encryption

Artem Smotrakov created OFBIZ-12281:
---------------------------------------

             Summary: Static initialization vectors for encryption
                 Key: OFBIZ-12281
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12281
             Project: OFBiz
          Issue Type: Bug
            Reporter: Artem Smotrakov


(after discussing this on security@ofbiz.apache.org, it was decided to open an Jira issue for that)

 
I've noticed that OFBiz Framework sometimes uses static initialization vectors (IV) while creating a cipher:
 
[https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/valuelink/ValueLinkApi.java#L776]
 
[https://github.com/apache/ofbiz-framework/blob/ec1c7f531420de8c8c4bf1b3a2d66693fd295051/framework/base/src/main/java/org/apache/ofbiz/base/crypto/DesCrypt.java#L106]
 
IVs should be unique and ideally unpredictable to avoid producing the same ciphertexts for the same plaintexts.
 
The issues can be fixed with something like the following:

{code:java}
byte[] rawIV = new byte[8];
SecureRandom random = new SecureRandom();
random.nextBytes(rawIV).
IvParameterSpec iv = new IvParameterSpec(rawIV);
{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)