i2p.i2p icon indicating copy to clipboard operation
i2p.i2p copied to clipboard
verified publisher icon i2p

Insecure use of (Insecure IV usage: constant IV) in CryptixAESEngine.java

Open A-Amyan opened this issue 5 months ago • 1 comments

We are a German research group investigating the misuse of cryptographic APIs. We found vulnerabilities in CryptixAESEngine.java at line {53}, which can lead to an attack (e.g., Semantic security is broken—identical plaintext blocks produce identical ciphertext blocks, leaking structure and enabling pattern analysis).

This is our result:

    "explanation": "Direct instantiation of IvParameterSpec to create a constant zero initialization vector (IV).",
    "cryptographicObjectType": "IvParameterSpec",
    "codeSnippet": "private static final IvParameterSpec ZERO_IV = new IvParameterSpec(new byte[16], 0, 16);",
    "vulnerabilityType": "Insecure",
    "correction": "Do not use a constant IV. A constant (zero) IV can compromise the security of CBC mode. Instead, generate a fresh, random IV for each cryptographic operation.",

A-Amyan avatar Jul 09 '25 12:07 A-Amyan

Please also update patched versions in https://repo.i2pd.xyz for debian & raspios, thx

rootzoll avatar Jul 17 '25 14:07 rootzoll