Andreas Lehmkühler created PDFBOX-4191:
------------------------------------------

             Summary: Initialization vectors should be randomly generated for 
proper security guarantees
                 Key: PDFBOX-4191
                 URL: https://issues.apache.org/jira/browse/PDFBOX-4191
             Project: PDFBox
          Issue Type: Bug
          Components: Crypto
    Affects Versions: 2.0.9, 3.0.0 PDFBox
            Reporter: Andreas Lehmkühler
            Assignee: Andreas Lehmkühler


Rumen Paletov creates the following issue for Android-Pdfbox on github:
{quote}
As part of some research about the [common crypto mistakes that developers 
make|https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/],
 I noticed that your application has one of them.

In StandardSecurityHandler.prepareEncryptionDictRev6 you're initializing Cipher 
instances with a static IV of 0s which is insecure. More details about this 
issue and how to fix it are available 
[here|https://doridori.github.io/Android-Security-Beware-of-the-default-IV/#sthash.SoPUiacY.dpbs].
{quote}

This is true for "our" PDFBox as well



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Reply via email to