search

simbiose / Encryption

Encryption is a simple way to encrypt and decrypt strings on Android and Java project.
MIT License
354 stars 79 forks source link

AES in ECB mode is Insecure #4

Closed rpicard closed 9 years ago

rpicard commented 9 years ago

It's my understanding that the default cipher mode for AES with javax.crypto.cipher is ECB. You aren't specifying anything else, so it looks like that's what your utility uses. AES used in ECB mode is insecure. Duplicate plaintext blocks will result in the same ciphertext every time.

This can be mitigated by using AES in CBC mode with random IVs from a cryptographically secure pseudo-random number generator (CSPRNG). I'm not very familiar with Java, but I think that SecureRandom is considered secure as long as you do not seed it manually.

ademar111190 commented 9 years ago

Thank you very much by the important report, I changed the Encryption class to uses CBC mode, especially in this commit.

Please verify if something still seem wrong, for later I post an update on library.

rpicard commented 9 years ago

I took a quick look and nothing jumps out at me. Crypto bugs are subtle of course, so no promises that it's secure. :+1: