[ https://issues.apache.org/jira/browse/VFS-792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279929#comment-17279929 ]
Gary D. Gregory commented on VFS-792: ------------------------------------- Did you read the Javadoc for this class? Gary > Usage of default mode for "AES" is insecure > -------------------------------------------- > > Key: VFS-792 > URL: https://issues.apache.org/jira/browse/VFS-792 > Project: Commons VFS > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Priority: Major > > In file > [https://github.com/apache/commons-vfs/blob/bd1ed002b0fb0f43505adc469479eb11e9bf731a/commons-vfs2/src/main/java/org/apache/commons/vfs2/util/DefaultCryptor.java] > (at Line 61), the default "AES" algorithm has been used which imposes > insecure "ECB" mode. > *Security Impact*: > ECB mode allows the attacker to do the following - > detect whether two ECB-encrypted messages are identical; > detect whether two ECB-encrypted messages share a common prefix; > detect whether two ECB-encrypted messages share other common substrings, as > long as those substrings are aligned at block boundaries; or > detect whether (and where) a single ECB-encrypted message contains > repetitive data (such as long runs of spaces or null bytes, repeated header > fields, or coincidentally repeated phrases in the text). - Collected from > [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).] > *Useful Resources*: > [https://blog.filippo.io/the-ecb-penguin/] > *Solution we suggest*: > Use GCM mode instead of default or ECB mode. > *Please share with us your opinions/comments if there is any*: > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)