You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pdfbox.apache.org by "Andreas Lehmkühler (JIRA)" <ji...@apache.org> on 2018/04/16 16:53:00 UTC

[jira] [Created] (PDFBOX-4191) Initialization vectors should be randomly generated for proper security guarantees

Andreas Lehmkühler created PDFBOX-4191:
------------------------------------------

             Summary: Initialization vectors should be randomly generated for proper security guarantees
                 Key: PDFBOX-4191
                 URL: https://issues.apache.org/jira/browse/PDFBOX-4191
             Project: PDFBox
          Issue Type: Bug
          Components: Crypto
    Affects Versions: 2.0.9, 3.0.0 PDFBox
            Reporter: Andreas Lehmkühler
            Assignee: Andreas Lehmkühler


Rumen Paletov creates the following issue for Android-Pdfbox on github:
{quote}
As part of some research about the [common crypto mistakes that developers make|https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/], I noticed that your application has one of them.

In StandardSecurityHandler.prepareEncryptionDictRev6 you're initializing Cipher instances with a static IV of 0s which is insecure. More details about this issue and how to fix it are available [here|https://doridori.github.io/Android-Security-Beware-of-the-default-IV/#sthash.SoPUiacY.dpbs].
{quote}

This is true for "our" PDFBox as well



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org