Md Mahir Asef Kabir created DELTASPIKE-1406:
-----------------------------------------------
Summary: Usage of "SHA-256" and "AES" are insecure
Key: DELTASPIKE-1406
URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406
Project: DeltaSpike
Issue Type: Improvement
Security Level: public (Regular issues)
Reporter: Md Mahir Asef Kabir
*Vulnerability Description:* In
“deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
the following algorithms were set to use later -
{code:java}
private static final String HASH_ALGORITHM = "SHA-256";
private static final String CIPHER_ALGORITHM = "AES";
{code}
Here, SHA-256 and AES are vulnerable.
*Reason it’s vulnerable:* According to
[this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
“SHA256 functions do not include a salt and a separate function must be used
to add the salt”. Another reference can be found here -
https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm.
”AES” is also not secure. For further reference, please follow
[this|https://zachgrace.com/posts/attacking-ecb/]
*Suggested Fix:* The secure algorithms to set would be -
{code:java}
private static final String HASH_ALGORITHM = "SHA-512";
private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
{code}
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
