search

pubnub / java

PubNub Java-based APIs for core Java, Android
Other
673 stars 0 forks source link

Flagged Crypto.java Security vulnerability #268

Open amsmokefree opened 1 year ago

amsmokefree commented 1 year ago

Spotted this during a routine penetration testing exercise

This class: com/pubnub/api/vendor/Crypto.java

Potential Issues

  1. Configuration is vulnerable to padding oracle attacks : Encryption mode CBC with PKCS5/PKCS7 padding
  2. MD5 is also a weak hash known to have hash collisions.

The following algorithms are recommended:

Confidentiality algorithms: AES-GCM-256 or ChaCha20-Poly1305 Integrity algorithms: SHA-256, SHA-384, SHA-512, Blake2, the SHA-3 family Digital signature algorithms: RSA (3072 bits and higher), ECDSA with NIST P-384 Key establishment algorithms: RSA (3072 bits and higher), DH (3072 bits or higher), ECDH with NIST P-384

marcin-cebo commented 1 year ago

Hi,

thank you for those informations. We don't have "oracle" since this is End-to-End encryption. As it comes to MD5 this method is not used. We are going to remove it in next release though to avoid confusion.