Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Resolved
-
None
-
None
-
None
Description
In file https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/encryption/AESKeyFileEncrypter.java (at Line 55), the default "AES" algorithm has been used which imposes insecure "ECB" mode.
Security Impact:
ECB mode allows the attacker to do the following -
detect whether two ECB-encrypted messages are identical;
detect whether two ECB-encrypted messages share a common prefix;
detect whether two ECB-encrypted messages share other common substrings, as long as those substrings are aligned at block boundaries; or
detect whether (and where) a single ECB-encrypted message contains repetitive data (such as long runs of spaces or null bytes, repeated header fields, or coincidentally repeated phrases in the text). - Collected from here
Useful Resources:
https://blog.filippo.io/the-ecb-penguin/
Solution we suggest:
Use GCM mode instead of default or ECB mode.
Please share with us your opinions/comments if there is any:
Is the bug report helpful?