Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
In my opinion OFBiz should remove or deprecate and remove the implementation for DES crypto - class org.apache.ofbiz.base.crypto.DesCrypt .
DES encryption is broken and insecure to my knowledge
https://en.wikipedia.org/wiki/Data_Encryption_Standard
https://www.techtarget.com/searchsecurity/tip/Expert-advice-Encryption-101-Triple-DES-explained
https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html
In my opinion - it should be removed from the code in new releases.
If people have data encrypted with this they should migrate somehow.
Probably via an export-import?