You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Bjørn Jørgensen (Jira)" <ji...@apache.org> on 2022/03/05 14:11:00 UTC
[jira] [Created] (SPARK-38421) Cipher Block Chaining IVs should be unpredictable
Bjørn Jørgensen created SPARK-38421:
---------------------------------------
Summary: Cipher Block Chaining IVs should be unpredictable
Key: SPARK-38421
URL: https://issues.apache.org/jira/browse/SPARK-38421
Project: Spark
Issue Type: Bug
Components: Java API
Affects Versions: 3.3.0
Reporter: Bjørn Jørgensen
I have scanned java files with Sonarqube and in https://github.com/apache/spark/blob/master/common/network-common/src/main/java/org/apache/spark/network/crypto/TransportCipher.java
{code:java}
@VisibleForTesting
CryptoOutputStream createOutputStream(WritableByteChannel ch) throws IOException {
return new CryptoOutputStream(cipher, conf, ch, key, new IvParameterSpec(outIv));
@VisibleForTesting
CryptoInputStream createInputStream(ReadableByteChannel ch) throws IOException {
return new CryptoInputStream(cipher, conf, ch, key, new IvParameterSpec(inIv));
{code}
When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn’t always produce the same ciphertext. The IV doesn’t need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
[OWASP Top 10 2021|https://owasp.org/Top10/A02_2021-Cryptographic_Failures/] Category A2 - Cryptographic Failures
[OWASP Top 10|https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration.html] 2017 Category A6 - Security Misconfiguration
[MITRE, CWE-329|https://cwe.mitre.org/data/definitions/329.html] - CWE-329: Not Using an Unpredictable IV with CBC Mode
[MITRE, CWE-330|https://cwe.mitre.org/data/definitions/330.html] - Use of Insufficiently Random Values
[NIST, SP-800-38A|https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38a.pdf] - Recommendation for Block Cipher Modes of Operation
Derived from FindSecBugs [rule STATIC_IV|https://find-sec-bugs.github.io/bugs.htm#STATIC_IV]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org