You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Justin Bertram (Jira)" <ji...@apache.org> on 2021/02/06 02:13:00 UTC
[jira] [Updated] (ARTEMIS-3103) Replace blowfish with a more
secure encryption algorithm
[ https://issues.apache.org/jira/browse/ARTEMIS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram updated ARTEMIS-3103:
------------------------------------
Description:
The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}} uses blowfish encrypting sensitive information.
*Security Impact*:
Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/319.html
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
was:
In file apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.javaThe blowfish is used for encryption sensitive information
*Security Impact*:
Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/319.html
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
> Replace blowfish with a more secure encryption algorithm
> ---------------------------------------------------------
>
> Key: ARTEMIS-3103
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3103
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: API
> Reporter: Ying Zhang
> Priority: Major
>
> The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}} uses blowfish encrypting sensitive information.
> *Security Impact*:
> Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
> *Useful Resources*:
> https://cwe.mitre.org/data/definitions/319.html
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)