Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1286

Support a custom IV in guacamole-auth-json

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • guacamole-auth-json
    • None

    Description

      It would be nice to support a custom (not-null) IV in guacamole-auth-json

      We have a cryptography expert at our company that took a look at the implementation here:

      https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-json/src/main/java/org/apache/guacamole/auth/json/CryptoService.java#L76

      according to him:

      • Having a null-IV coupled with the cipher that Guacamole is using (CBC) is far from ideal from security perspective, even with the signature in the payload it's possible to generate the same cipher-text thus it is bruteforce-able
      • He also thinks that it could be nice to use a standard like AEAD (https://en.wikipedia.org/wiki/Authenticated_encryption) in Guacamole instead of using a custom implementation.

      We believe that allowing a null-IV could be problematic and allowing a configurable IV would be a great short-term solution.

      Attachments

        Issue Links

          relates to

          New Feature - A new feature of the product, which has yet to be developed. GUACAMOLE-1218 Move guacamole-auth-json into the main project.

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              Unassigned Unassigned
              bnzelic Bojan Zelic
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated: