search

mogol / flutter_secure_storage

A Flutter plugin to store data in secure storage
https://pub.dartlang.org/packages/flutter_secure_storage
BSD 3-Clause "New" or "Revised" License
1.13k stars 375 forks source link

App uses the encryption mode CBC with PKCS5/PKCS7 padding #759

Closed ftopacho closed 2 months ago

ftopacho commented 3 months ago

I have also been flagged for vulnerable padding being used in my Huawei proprietary libraries and using. I would like to understand if upgrading the Huawei library will help remediate this vulnerability?

code snippet Cipher cipher = Cipher.getInstance("AES/CBC/PKS5Padding")

Recommendation

Incorporate a secure checksum known as a Message Authentication Code. This MAC is typically produced by a secure "keyed hash", using the same key that encrypted the message. The message is first encrypted, and then the ciphertext, along with information about how it was encrypted such as the cipher algorithm, cipher mode, key size, block size and IV, is hashed using the MAC algorithm and the same key.

juliansteenbakker commented 2 months ago

Hi, a possible fix for this issue will be discussed in #769