Some security related suggestions

[Gax-c]

Question / bug report

The following are some of my suggestions for DeDRM_tools.

1. Constant initial vector The constant initial vector defined here may be considered unsafe. A random IV should be applied for AES in CBC mode.
2. DES used DES algorithm is used here, but DES is considered unsafe, so switching to a stronger one may be a better way.
3. SHA1 used for IV A variable called "name_sha" serves as the IV in AES here, which is considered unsafe. A random IV should be applied.
4. Hardcoded values There are some hardcoded values existing in the package, like 1, 2, and 3. I'm actually not sure whether this hardcoded info is vulnerable, but there may exist problems.
5. AES with ECB mode AES with ECB mode is considered unsafe here.

These problems may not only appear in a single file, so several modifications should be applied if they are confirmed as bugs.

Thanks for reading!

Which version of Calibre are you running?

6.23

Which version of the DeDRM plugin are you running?

v10.0.2

If applicable, which version of the Kindle software are you running?

No response

Log output

Paste log output here.

[noDRM]

Not sure what's the point of this issue report, seems to be auto-generated?

This plugin is decrypting existing data that already exists. If there's existing data that's been encrypted with a constant IV, or a weak cipher like DES or one using SHA1, there's nothing I can do to "fix" that. Until Adobe, Amazon, Kobo, whoever switch to different ciphers, this plugin needs to support all these to decrypt files.

Same as for the hardcoded values / keys. If these are the hardcoded keys used to get to the content, they need to be present in the scripts ...