You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 01:46:00 UTC
[jira] [Created] (ARTEMIS-3103) Replace blowfish with a more
secure encryption algorithm
Ying Zhang created ARTEMIS-3103:
-----------------------------------
Summary: Replace blowfish with a more secure encryption algorithm
Key: ARTEMIS-3103
URL: https://issues.apache.org/jira/browse/ARTEMIS-3103
Project: ActiveMQ Artemis
Issue Type: Improvement
Components: API
Reporter: Ying Zhang
In file apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.javaThe blowfish is used for encryption sensitive information
*Security Impact*:
Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/319.html
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)