Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Initialization vectors should be randomly generated

Description

In AesEncryptor.cipher you’re initializing a Cipher instance with a static IV2 which is insecure.

One possible solution would be to generate the initialization vector using SecureRandom:

Environment

None

Activity

Greg Thomas July 9, 2018 at 7:16 PM

On reflection, each property should have it's own IV, so the PR adds a column to the DB to save it.

Greg Thomas July 9, 2018 at 11:47 AM

Unfortunately, it is not quite as simple as the ticket suggests; the IV is required to decrypt the text, too - which means it must be persisted, presumably in `conf/security.xml`.

wroot April 15, 2018 at 6:56 AM

Assigned this to gdt as he is usually checking security issues. Feel free to reassign to Dave or leave it unassigned.

Fixed

Details

Assignee

Reporter

Labels

Ignite Forum URL

Components

Fix versions

Priority

Created April 15, 2018 at 6:55 AM
Updated October 28, 2020 at 1:26 PM
Resolved August 13, 2018 at 5:36 PM