Md Mahir Asef Kabir created QPID-8504:
-----------------------------------------
Summary: Usage of default mode for "AES" is insecure
Key: QPID-8504
URL: https://issues.apache.org/jira/browse/QPID-8504
Project: Qpid
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
In file
https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java
(at Line 55), the default "AES" algorithm has been used which imposes insecure
"ECB" mode.
*Security Impact*:
ECB mode allows the attacker to do the following -
detect whether two ECB-encrypted messages are identical;
detect whether two ECB-encrypted messages share a common prefix;
detect whether two ECB-encrypted messages share other common substrings, as
long as those substrings are aligned at block boundaries; or
detect whether (and where) a single ECB-encrypted message contains repetitive
data (such as long runs of spaces or null bytes, repeated header fields, or
coincidentally repeated phrases in the text). - Collected from
[here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
*Useful Resources*:
https://blog.filippo.io/the-ecb-penguin/
*Solution we suggest*:
Use GCM mode instead of default or ECB mode.
*Please share with us your opinions/comments if there is any*:
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
