[
https://issues.apache.org/jira/browse/VFS-792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17279929#comment-17279929
]
Gary D. Gregory commented on VFS-792:
-------------------------------------
Did you read the Javadoc for this class?
Gary
> Usage of default mode for "AES" is insecure
> --------------------------------------------
>
> Key: VFS-792
> URL: https://issues.apache.org/jira/browse/VFS-792
> Project: Commons VFS
> Issue Type: Improvement
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> In file
> [https://github.com/apache/commons-vfs/blob/bd1ed002b0fb0f43505adc469479eb11e9bf731a/commons-vfs2/src/main/java/org/apache/commons/vfs2/util/DefaultCryptor.java]
> (at Line 61), the default "AES" algorithm has been used which imposes
> insecure "ECB" mode.
> *Security Impact*:
> ECB mode allows the attacker to do the following -
> detect whether two ECB-encrypted messages are identical;
> detect whether two ECB-encrypted messages share a common prefix;
> detect whether two ECB-encrypted messages share other common substrings, as
> long as those substrings are aligned at block boundaries; or
> detect whether (and where) a single ECB-encrypted message contains
> repetitive data (such as long runs of spaces or null bytes, repeated header
> fields, or coincidentally repeated phrases in the text). - Collected from
> [here|https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption#:~:text=The%20main%20reason%20not%20to,will%20leak%20to%20some%20extent).]
> *Useful Resources*:
> [https://blog.filippo.io/the-ecb-penguin/]
> *Solution we suggest*:
> Use GCM mode instead of default or ECB mode.
> *Please share with us your opinions/comments if there is any*:
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
