You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Andreas Lehmkühler (JIRA)" <ji...@apache.org> on 2018/04/16 16:53:00 UTC
[jira] [Created] (PDFBOX-4191) Initialization vectors should be
randomly generated for proper security guarantees
Andreas Lehmkühler created PDFBOX-4191:
------------------------------------------
Summary: Initialization vectors should be randomly generated for proper security guarantees
Key: PDFBOX-4191
URL: https://issues.apache.org/jira/browse/PDFBOX-4191
Project: PDFBox
Issue Type: Bug
Components: Crypto
Affects Versions: 2.0.9, 3.0.0 PDFBox
Reporter: Andreas Lehmkühler
Assignee: Andreas Lehmkühler
Rumen Paletov creates the following issue for Android-Pdfbox on github:
{quote}
As part of some research about the [common crypto mistakes that developers make|https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/], I noticed that your application has one of them.
In StandardSecurityHandler.prepareEncryptionDictRev6 you're initializing Cipher instances with a static IV of 0s which is insecure. More details about this issue and how to fix it are available [here|https://doridori.github.io/Android-Security-Beware-of-the-default-IV/#sthash.SoPUiacY.dpbs].
{quote}
This is true for "our" PDFBox as well
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org