[jira] [Commented] (TIKA-3294) Usage of "ECB" mode for "AES" is insecure

Fri, 05 Feb 2021 07:24:06 -0800 


    [ 
https://issues.apache.org/jira/browse/TIKA-3294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279750#comment-17279750
 ] 

Nick Burch commented on TIKA-3294:
----------------------------------

This code is reading something that someone else has already encrypted, so not 
something we can change if we still want to read the files!

You would need to talk to the team behind the HWP file format, but probably 
only with the help of a time machine to catch them before they made the 
original decision...

> Usage of "ECB" mode for "AES" is insecure     
> ------------------------------------------
>
>                 Key: TIKA-3294
>                 URL: https://issues.apache.org/jira/browse/TIKA-3294
>             Project: Tika
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> In file 
> [https://github.com/apache/tika/blob/a43784b19f6b0955478dded71521b0491d21c90b/tika-parsers/tika-parsers-classic/tika-parsers-classic-modules/tika-parser-miscoffice-module/src/main/java/org/apache/tika/parser/hwp/HwpTextExtractorV5.java]
>  (at Line 370), the insecure "ECB" mode is used.
> *Security Impact*:
> ECB mode allows the attacker to do the following -
> detect whether two ECB-encrypted messages are identical;
> detect whether two ECB-encrypted messages share a common prefix;
> detect whether two ECB-encrypted messages share other common substrings, as 
> long as those substrings are aligned at block boundaries; or
> detect whether (and where) a single ECB-encrypted message contains repetitive 
> data (such as long runs of spaces or null bytes, repeated header fields, or 
> coincidentally repeated phrases in the text). - Collected from 
> [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
> *Useful Resources*:
> https://blog.filippo.io/the-ecb-penguin/
> *Solution we suggest*:
> Use GCM mode instead of default or ECB mode.
> *Please share with us your opinions/comments if there is any*:
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to