You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 01:46:00 UTC

[jira] [Created] (ARTEMIS-3103) Replace blowfish with a more secure encryption algorithm

Ying Zhang created ARTEMIS-3103:
-----------------------------------

             Summary: Replace blowfish with a  more secure encryption algorithm
                 Key: ARTEMIS-3103
                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3103
             Project: ActiveMQ Artemis
          Issue Type: Improvement
          Components: API
            Reporter: Ying Zhang


In file apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.javaThe blowfish is used for encryption sensitive information

*Security Impact*:

Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.

*Useful Resources*:

https://cwe.mitre.org/data/definitions/319.html

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)