Decrypting AES ECB payload

[rmullin-apptio]

Security issue notifications

If you discover a potential security issue in AWS-LC for Rust we ask that you notify AWS Security via our vulnerability reporting page. Please do not create a public github issue, if in doubt contact AWS security first.

Problem:

I have incoming payloads that for historical purposes are encrypted using AES in ECB mode (this is the default AES implementation for Java). From what I've seen, the crate uses ecb internally through the aws-lc library, but the only externally exposed implementations are CTR and CBC. Is there any way to expose that algorithm or use a workaround that

Solution:

A description of the possible solution in terms of AWS-LC for Rust architecture. Highlight and explain any potentially controversial design decisions taken.

• Does this change any public APIs? If yes, explain. Yes, this would effect the public api for AES. I assume the reason this implementation was left as internal only is due to the lower security compared to AES with CBC.

• Which algorithm(s) will this impact? AES

Requirements / Acceptance Criteria:

What must a solution address in order to solve the problem? How do we know the solution is complete?

Either a support for ECB mode, or a workaround for using ECB mode with the existing API.

• RFC links: Links to relevant RFC(s)
• Related Issues: Link any relevant issues
• Will the Usage Guide or other documentation need to be updated? If the API were to change, it should include strong warnings against using this algorithm.
• Testing: How will this change be tested? Call out new integration tests, functional tests, or particularly interesting/important unit tests.

Out of scope:

Is there anything the solution will intentionally NOT address?

[skmcgrail]

Hello @rmullin-apptio,

Can you confirm whether you are using AES/ECB/NoPadding or AES/ECB/PKCS5Padding in your Java application? Just trying to figure out if you need ECB with with or without padding.

Thanks!