Vulnerability
|
String salt = sha256Sum(passphrase).toLowerCase() |
|
byte[] b_secret = passwordKeyDerivation(passphrase, salt) |
|
String salt = sha256Sum(passphrase).toLowerCase() |
|
byte[] b_secret = passwordKeyDerivation(passphrase, salt) |
The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.
Impact
Pre-computation attacks.
Severity is considered low for internal uses of this library and high for consumers of this library.
Patches
Jervis will generate a random salt for each password and store it alongside the ciphertext.
Upgrade to Jervis 2.2.
Workarounds
None
References
Vulnerability
jervis/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
Lines 869 to 870 in 157d2b6
jervis/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovy
Lines 894 to 895 in 157d2b6
The salt is derived from sha256Sum(passphrase). Two encryption operations with the same password will have the same derived key.
Impact
Pre-computation attacks.
Severity is considered low for internal uses of this library and high for consumers of this library.
Patches
Jervis will generate a random salt for each password and store it alongside the ciphertext.
Upgrade to Jervis 2.2.
Workarounds
None
References