[jira] [Commented] (QPID-8504) Usage of default mode for "AES" is insecure

Tue, 09 Feb 2021 03:05:04 -0800 


    [ 
https://issues.apache.org/jira/browse/QPID-8504?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281712#comment-17281712
 ] 

ASF GitHub Bot commented on QPID-8504:
--------------------------------------

Dedeepya-T opened a new pull request #80:
URL: https://github.com/apache/qpid-broker-j/pull/80


   Changed the date time format to UTC in the logging


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


> Usage of default mode for "AES" is insecure
> -------------------------------------------
>
>                 Key: QPID-8504
>                 URL: https://issues.apache.org/jira/browse/QPID-8504
>             Project: Qpid
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> In file 
> https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java
>  (at Line 55), the default "AES" algorithm has been used which imposes 
> insecure "ECB" mode.
> *Security Impact*:
> ECB mode allows the attacker to do the following -
> detect whether two ECB-encrypted messages are identical;
> detect whether two ECB-encrypted messages share a common prefix;
> detect whether two ECB-encrypted messages share other common substrings, as 
> long as those substrings are aligned at block boundaries; or
> detect whether (and where) a single ECB-encrypted message contains repetitive 
> data (such as long runs of spaces or null bytes, repeated header fields, or 
> coincidentally repeated phrases in the text). - Collected from 
> [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
> *Useful Resources*:
> https://blog.filippo.io/the-ecb-penguin/
> *Solution we suggest*:
> Use GCM mode instead of default or ECB mode.
> *Please share with us your opinions/comments if there is any*:
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to