[ https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17123870#comment-17123870 ]
Mark Struberg commented on DELTASPIKE-1406: ------------------------------------------- Basically I like the idea, but we should also have a fallback to still be able to read SHA-256 encrypted data. > Usage of "SHA-256" and "AES" is insecure > ---------------------------------------- > > Key: DELTASPIKE-1406 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406 > Project: DeltaSpike > Issue Type: Improvement > Security Level: public(Regular issues) > Reporter: Md Mahir Asef Kabir > Priority: Major > > *Vulnerability Description:* In > “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”, > the following algorithms were set to use later - > {code:java} > private static final String HASH_ALGORITHM = "SHA-256"; > private static final String CIPHER_ALGORITHM = "AES"; > {code} > Here, SHA-256 and AES are vulnerable. > *Reason it’s vulnerable:* According to > [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be > broken. > ”AES” is also not secure. For further reference, please follow > [this|https://zachgrace.com/posts/attacking-ecb/] > *Suggested Fix:* The secure algorithms to set would be - > {code:java} > private static final String HASH_ALGORITHM = "SHA-512"; > private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding"; > {code} > *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)