[
https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17123870#comment-17123870
]
Mark Struberg commented on DELTASPIKE-1406:
-------------------------------------------
Basically I like the idea, but we should also have a fallback to still be able
to read SHA-256 encrypted data.
> Usage of "SHA-256" and "AES" is insecure
> ----------------------------------------
>
> Key: DELTASPIKE-1406
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406
> Project: DeltaSpike
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> *Vulnerability Description:* In
> “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
> the following algorithms were set to use later -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-256";
> private static final String CIPHER_ALGORITHM = "AES";
> {code}
> Here, SHA-256 and AES are vulnerable.
> *Reason it’s vulnerable:* According to
> [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be
> broken.
> ”AES” is also not secure. For further reference, please follow
> [this|https://zachgrace.com/posts/attacking-ecb/]
> *Suggested Fix:* The secure algorithms to set would be -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-512";
> private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
> {code}
> *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
