Closed rpicard closed 9 years ago
Thank you very much by the important report, I changed the Encryption class to uses CBC mode, especially in this commit.
Please verify if something still seem wrong, for later I post an update on library.
I took a quick look and nothing jumps out at me. Crypto bugs are subtle of course, so no promises that it's secure. :+1:
It's my understanding that the default cipher mode for AES with
javax.crypto.cipher
is ECB. You aren't specifying anything else, so it looks like that's what your utility uses. AES used in ECB mode is insecure. Duplicate plaintext blocks will result in the same ciphertext every time.This can be mitigated by using AES in CBC mode with random IVs from a cryptographically secure pseudo-random number generator (CSPRNG). I'm not very familiar with Java, but I think that
SecureRandom
is considered secure as long as you do not seed it manually.