Andrea Cosentino created CAMEL-23842:
----------------------------------------

             Summary: Camel-PQC: PQCDataFormat uses ECB mode without integrity 
protection (use authenticated encryption)
                 Key: CAMEL-23842
                 URL: https://issues.apache.org/jira/browse/CAMEL-23842
             Project: Camel
          Issue Type: Bug
          Components: camel-pqc
            Reporter: Andrea Cosentino
            Assignee: Andrea Cosentino


The PQC DataFormat performs the symmetric (DEM) layer of its KEM-DEM 
construction with {{Cipher.getInstance(symAlg)}} where {{symAlg}} is a bare 
algorithm name such as "AES" (PQCDataFormat#marshal / #unmarshal). With most 
JCE providers this resolves to {{AES/ECB/PKCS5Padding}}:

* ECB leaks plaintext block structure (identical plaintext blocks => identical 
ciphertext blocks) within a message.
* There is no IV/nonce and no integrity/authentication (no GCM tag, no HMAC), 
so the ciphertext is malleable and the DEM layer is not IND-CCA2 secure.

For a data format whose purpose is quantum-resistant confidentiality, shipping 
ECB without integrity is a meaningful weakness.

h3. Proposal
* Default to an authenticated mode (e.g. {{AES/GCM/NoPadding}}) with a freshly 
generated random nonce, written to the output stream alongside the existing 
{{[encapsulation length][encapsulation]}} framing.
* Optionally bind associated data (AAD).
* Consider backward compatibility for payloads encrypted with the current 
format and document it in the upgrade guide.

Affected: {{components/camel-pqc}} PQCDataFormat (marshal/unmarshal).

----
_Filed by Claude Code on behalf of Andrea Cosentino._



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to