You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/16 05:50:00 UTC
[jira] [Created] (DIRSERVER-2338) Using a static IV in symmetric
encryption with CBC mode
Ya Xiao created DIRSERVER-2338:
----------------------------------
Summary: Using a static IV in symmetric encryption with CBC mode
Key: DIRSERVER-2338
URL: https://issues.apache.org/jira/browse/DIRSERVER-2338
Project: Directory ApacheDS
Issue Type: Improvement
Reporter: Ya Xiao
*Vulnerability Description*
In file [directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|[https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java],] a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165, Line 169).
*Security Impact:*
The IV of CBC mode is expected to be random. The static IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/338.html|https://cwe.mitre.org/data/definitions/329.html]
*Solution we suggest*
Generate the IV bytes through SecureRandom.
*Please share with us your opinions/comments if there is any*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org