search

ant-media / Ant-Media-Server

Ant Media Server is a live streaming engine software that provides adaptive, ultra low latency streaming by using WebRTC technology with ~0.5 seconds latency. Ant Media Server is auto-scalable and it can run on-premise or on-cloud.
https://antmedia.io
Other
4.27k stars 627 forks source link

Insecure DH Base for KeyPair Generation #5542

Open akwick opened 1 year ago

akwick commented 1 year ago

Short description

Brief description of what happened

A Diffie-Hellman (DH) base of 2 is used to generate the DHParameterSpec that are later used to call the method generateKeyPair. A small base (g) is considered insecure as the resulting group will be small, e.g., g = 1 results in a group with one element. The technical report of BSI BSI-TR-02102-1 includes details in Section 8.2.1 Diffe-Hellman.

(Context: @schlichtig and I manually reviewed randomly sampled JCA usages for a benchmark to identify secure or insecure usages of the API. )

Environment

Steps to reproduce

  1. Manual inspect the class RTMPHandshake.java
  2. Read security guidelines, such as the technical guidelines by BSI mentioned above.

Expected behavior

Put as much detail here as possible

Parameters are selected with secure values.

Actual behavior

Put as much detail here as possible

Parameters are selected with an insecure value.

mekya commented 1 year ago

hi @akwick ,

Thank you very much for creating issue and your contribution to the project. I've put this to the backlog.

If you also have some chance to send PR, we'll really appreciate the amount of your contribution.

Have a great day

Regards Oguz