[jira] [Created] (DIRSERVER-2338) Using a static IV in symmetric encryption with CBC mode

Ya Xiao (Jira) Fri, 15 Jan 2021 21:50:10 -0800

Ya Xiao created DIRSERVER-2338:
----------------------------------

             Summary: Using a static IV in symmetric encryption with CBC mode
                 Key: DIRSERVER-2338
                 URL: https://issues.apache.org/jira/browse/DIRSERVER-2338
             Project: Directory ApacheDS
          Issue Type: Improvement
            Reporter: Ya Xiao



*Vulnerability Description*

In file 
[directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|[https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java],]
 a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165, 
Line 169).

*Security Impact:*

The IV of CBC mode is expected to be random. The static IV makes the resulting 
ciphertext much more predictable and susceptible to a dictionary attack.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/338.html|https://cwe.mitre.org/data/definitions/329.html]

*Solution we suggest*

Generate the IV bytes through SecureRandom.

*Please share with us your opinions/comments if there is any*

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (DIRSERVER-2338) Using a static IV in symmetric encryption with CBC mode

Reply via email to