You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@commons.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2021/02/05 15:12:00 UTC

[jira] [Created] (VFS-792) Usage of default mode for "AES" is insecure

Md Mahir Asef Kabir created VFS-792:
---------------------------------------

             Summary: Usage of default mode for "AES" is insecure	
                 Key: VFS-792
                 URL: https://issues.apache.org/jira/browse/VFS-792
             Project: Commons VFS
          Issue Type: Improvement
            Reporter: Md Mahir Asef Kabir


In file [https://github.com/apache/commons-vfs/blob/bd1ed002b0fb0f43505adc469479eb11e9bf731a/commons-vfs2/src/main/java/org/apache/commons/vfs2/util/DefaultCryptor.java] (at Line 61), the default "AES" algorithm has been used which imposes insecure "ECB" mode.

*Security Impact*:

ECB mode allows the attacker to do the following -
 detect whether two ECB-encrypted messages are identical;
 detect whether two ECB-encrypted messages share a common prefix;
 detect whether two ECB-encrypted messages share other common substrings, as long as those substrings are aligned at block boundaries; or
 detect whether (and where) a single ECB-encrypted message contains repetitive data (such as long runs of spaces or null bytes, repeated header fields, or coincidentally repeated phrases in the text). - Collected from [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]

*Useful Resources*:

[https://blog.filippo.io/the-ecb-penguin/]

*Solution we suggest*:

Use GCM mode instead of default or ECB mode.

*Please share with us your opinions/comments if there is any*:

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)