[
https://issues.apache.org/jira/browse/ARTEMIS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram resolved ARTEMIS-3103.
-------------------------------------
Resolution: Not A Problem
> Replace blowfish with a more secure encryption algorithm
> ---------------------------------------------------------
>
> Key: ARTEMIS-3103
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3103
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: API
> Reporter: Ying Zhang
> Priority: Major
>
> The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}}
> uses blowfish encrypting sensitive information.
> *Security Impact*:
> Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block
> size) makes it vulnerable to [birthday
> attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in
> contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the
> SWEET32 attack demonstrated how to leverage birthday attacks to perform
> plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit
> block size.
> *Useful Resources*:
> https://cwe.mitre.org/data/definitions/319.html
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
