Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Quite a few cryptographic insecurities

See original GitHub issue

I just searched “AES encryption” on Github to see what poor implementations of AES I could find and I came across your implementation.

There’s quite a few issues with how you’re using it here.

  1. Insecure initialization vector – I’ll leave this to you to figure out why not picking a secure random IV for every encryption you do is bad. “16CHARSLONG12345” is most definitely not a secure, random IV.
  2. Insecure password hashing – Use a stronger hashing function like Bcrypt, scrypt, or pbkdf2.
  3. Unauthenticated cipher mode – You’re using CBC without any authentication of any kind. Look into using CBC with HMAC or a different AEAD like GCM mode or using libsodium’s SecretBox.
  4. Ideally, you would derive different keys for each file. It looks like you’re using the same key for every file.

There’s probably more, but this was a quick look over.

Checkout “Cryptography Engineering” by Bruce Schneier and Niels Ferguson to learn how to safely and properly implement cryptographic functions like this.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:1
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

Sigmanorcommented, Dec 7, 2018

Solved in pull requests #9 #10 by @h5p9sl

New release with this changes is planned tomorrow.

Sigmanorcommented, Nov 24, 2018

Small improvements in solving this issue - #9

Read more comments on GitHub >

github_iconTop Results From Across the Web

Cryptographic Failures Vulnerability - Examples & Prevention
Cryptographic failures vulnerabilities are causing exposure of sensitive data. Learn how to test and prevent them from happening.
Read more >
A02 Cryptographic Failures - OWASP Top 10:2021
Scenario #2: A site doesn't use or enforce TLS for all pages or supports weak encryption. An attacker monitors network traffic (e.g., at...
Read more >
M5: Insufficient Cryptography
Insecure use of cryptography is common in most mobile apps that leverage encryption. There are two fundamental ways that broken cryptography is manifested ......
Read more >
Insecure Cryptographic Storage Vulnerability
Insecure Cryptographic Storage vulnerability is a type of flaw in the way that data is being stored and secured online.
Read more >
Making sure crypto remains insecure [pdf]
I've reviewed lots of expertly developed cryptosystems and found exploitable problems. My experience suggests that even good implementors do not ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found