[
https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Md Mahir Asef Kabir updated DELTASPIKE-1406:
--------------------------------------------
Summary: Usage of "SHA-256" and "AES" is insecure (was: Usage of "SHA-256"
and "AES" are insecure)
> Usage of "SHA-256" and "AES" is insecure
> ----------------------------------------
>
> Key: DELTASPIKE-1406
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406
> Project: DeltaSpike
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> *Vulnerability Description:* In
> “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
> the following algorithms were set to use later -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-256";
> private static final String CIPHER_ALGORITHM = "AES";
> {code}
> Here, SHA-256 and AES are vulnerable.
> *Reason it’s vulnerable:* According to
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
> “SHA256 functions do not include a salt and a separate function must be
> used to add the salt”. Another reference can be found here -
> https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm.
> ”AES” is also not secure. For further reference, please follow
> [this|https://zachgrace.com/posts/attacking-ecb/]
> *Suggested Fix:* The secure algorithms to set would be -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-512";
> private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
> {code}
> *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
