EncryptTextApp icon indicating copy to clipboard operation
EncryptTextApp copied to clipboard

Published 20 hours ago verified publisher icon JanmanX

Possible Vulnerabilities

Open NotAFile opened this issue 6 years ago • 2 comments

I saw this in f-droid and felt like checking your crypto code.

I'm not familiar with the Java crypto libraries, but from what I can tell, it has a number of crypto issues:

  • it appears you are using SHA256 for key derivation. This is very fast to compute (and brute force) and unsuitable for deriving an AES key from. Consider using, say, PBKDF2 instead.
  • You are using CBC, however it appears you are not using a Message Authentication Code to verify the integrity of the message. This means your code is, at least theoretically, vulnerable to a padding oracle, and message modification. You can verify the integrity of the ciphertext with e.g. a sha256 HMAC to prevent this.
  • it appears you are using a hardcoded IV. This is un-ideal in general, but with some modes, like CBC, it is potentially catastrophical, in this case if the same message is encrypted with multiple keys.

NotAFile avatar Jun 03 '18 10:06 NotAFile