[ https://issues.apache.org/jira/browse/ARTEMIS-3103?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Justin Bertram updated ARTEMIS-3103: ------------------------------------ Description: The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}} uses blowfish encrypting sensitive information. *Security Impact*: Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size. *Useful Resources*: https://cwe.mitre.org/data/definitions/319.html *Please share with us your opinions/comments if there is any:* Is the bug report helpful? was: In file apache/activemq-artemis/blob/52263663c48082227916cc3477f8892d9f10134b/artemis-commons/src/main/java/org/apache/activemq/artemis/utils/DefaultSensitiveStringCodec.javaThe blowfish is used for encryption sensitive information *Security Impact*: Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block size) makes it vulnerable to [birthday attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the SWEET32 attack demonstrated how to leverage birthday attacks to perform plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit block size. *Useful Resources*: https://cwe.mitre.org/data/definitions/319.html *Please share with us your opinions/comments if there is any:* Is the bug report helpful? > Replace blowfish with a more secure encryption algorithm > --------------------------------------------------------- > > Key: ARTEMIS-3103 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3103 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: API > Reporter: Ying Zhang > Priority: Major > > The class {{org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec}} > uses blowfish encrypting sensitive information. > *Security Impact*: > Blowfish's use of 64-bit block size (as opposed to e.g. AES's 128-bit block > size) makes it vulnerable to [birthday > attacks|https://en.wikipedia.org/wiki/Birthday_attack], particularly in > contexts like [HTTPS|https://en.wikipedia.org/wiki/HTTPS]. In 2016, the > SWEET32 attack demonstrated how to leverage birthday attacks to perform > plaintext recovery (i.e. decrypting ciphertext) against ciphers with 64-bit > block size. > *Useful Resources*: > https://cwe.mitre.org/data/definitions/319.html > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? > -- This message was sent by Atlassian Jira (v8.3.4#803005)