[
https://issues.apache.org/jira/browse/ARTEMIS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Justin Bertram updated ARTEMIS-3103:
------------------------------------
Description:
The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}}
uses blowfish encrypting sensitive information.
*Security Impact*:
Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block
size) makes it vulnerable to [birthday
attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in
contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32
attack demonstrated how to leverage birthday attacks to perform plaintext
recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/319.html
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
was:
In file
apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.javaThe
blowfish is used for encryption sensitive information
*Security Impact*:
Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block
size) makes it vulnerable to [birthday
attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in
contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32
attack demonstrated how to leverage birthday attacks to perform plaintext
recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/319.html
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
> Replace blowfish with a more secure encryption algorithm
> ---------------------------------------------------------
>
> Key: ARTEMIS-3103
> URL: https://issues.apache.org/jira/browse/ARTEMIS-3103
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: API
> Reporter: Ying Zhang
> Priority: Major
>
> The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}}
> uses blowfish encrypting sensitive information.
> *Security Impact*:
> Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block
> size) makes it vulnerable to [birthday
> attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in
> contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the
> SWEET32 attack demonstrated how to leverage birthday attacks to perform
> plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit
> block size.
> *Useful Resources*:
> https://cwe.mitre.org/data/definitions/319.html
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
