-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cryptographic API Misuse Vulnerability : Do not use non-random/static)predictable IVs in CBC #29
Comments
안녕하세요. http://www.rootca.or.kr/kcac/down/TechSpec/2.3-KCAC.TS.ENC.pdfHello. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
In the PyPinkSign v0.5.1,it is a friendly Python library for NPKI.
It utilizes a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. Using default predictable IVs can lead to vulnerabilities like the disclosure of information about the plaintext of subsequent messages.
IV=0123456789012345
Affected Version
v0.5.1
Location:
https://github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L504
https://github.com/bandoche/PyPinkSign/blob/main/pypinksign/pypinksign.py#L537
Reference
Expected Behavior:
The IV for CBC mode should be random and unpredictable for each encryption operation to ensure the security of the encryption scheme.
Actual Behavior:
A static IV is used across encryption operations, making the encrypted data less secure and potentially leading to patterns that can be exploited by attackers. Default-->
IV=0123456789012345
Recommendation
Do not set default constant iv for CBC encryption. And modify the encryption process to generate a random IV each time an encryption operation is performed.
Addressing these issues is critical to maintaining the confidentiality and integrity of the data processed by PyPinkSign. It is recommended to take immediate action to correct these vulnerabilities and prevent potential exploits.
The text was updated successfully, but these errors were encountered: