Fixed: Static initialization vectors for encryption (OFBIZ-12281)
(after discussing this on security@ofbiz.apache.org, it was decided to open a
Jira issue for that)
I've noticed that OFBiz Framework sometimes uses static initialization vectors
(IV) while creating a cipher:
https://s.apache.org/vhlbj
https://s.apache.org/nyndk
IVs should be unique and ideally unpredictable to avoid producing the same
ciphertexts for the same plaintexts.
The issues can be fixed with something like the following:
byte[] rawIV = new byte[8];
SecureRandom random = new SecureRandom();
random.nextBytes(rawIV).
IvParameterSpec iv = new IvParameterSpec(rawIV);
jleroux: this prepends the IV in order to decrypt the plaintexts. It's similar
to what has been done for the DesCrypt class. But contrary to the DesCrypt class
I did not test.
Thanks: Artem Smotrakov
2 files changed