You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/02/11 18:47:00 UTC

[jira] [Updated] (GUACAMOLE-1286) Support a custom IV in guacamole-auth-json

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1286?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Jumper updated GUACAMOLE-1286:
-----------------------------------
    Affects Version/s:     (was: 1.3.0)

> Support a custom IV in guacamole-auth-json
> ------------------------------------------
>
>                 Key: GUACAMOLE-1286
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1286
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole
>            Reporter: Bojan Zelic
>            Priority: Major
>
> It would be nice to support a custom (not-null) IV in guacamole-auth-json
> We have a cryptography expert at our company that took a look at the implementation here:
> [https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/CryptoService.java#L76]
> according to him:
>  * Having a null-IV coupled with the cipher that Guacamole is using (CBC) is far from ideal from security perspective, even with the signature in the payload it's possible to generate the same cipher-text thus it is bruteforce-able
>  * He also thinks that it could be nice to use a standard like AEAD (https://en.wikipedia.org/wiki/Authenticated_encryption) in Guacamole instead of using a custom implementation.
> We believe that allowing a null-IV could be problematic and allowing a configurable IV would be a great short-term solution.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)