Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Flagged Crypto.java Security vulnerability #268

Open
amsmokefree opened this issue Feb 21, 2023 · 1 comment
Open

Flagged Crypto.java Security vulnerability #268

amsmokefree opened this issue Feb 21, 2023 · 1 comment

Comments

@amsmokefree
Copy link

Spotted this during a routine penetration testing exercise

This class: com/pubnub/api/vendor/Crypto.java

Potential Issues

  1. Configuration is vulnerable to padding oracle attacks : Encryption mode CBC with PKCS5/PKCS7 padding
  2. MD5 is also a weak hash known to have hash collisions.

The following algorithms are recommended:

Confidentiality algorithms: AES-GCM-256 or ChaCha20-Poly1305
Integrity algorithms: SHA-256, SHA-384, SHA-512, Blake2, the SHA-3 family
Digital signature algorithms: RSA (3072 bits and higher), ECDSA with NIST P-384
Key establishment algorithms: RSA (3072 bits and higher), DH (3072 bits or higher), ECDH with NIST P-384
@amsmokefree amsmokefree changed the title Potential Crypto.java Security vulnerability Flagged Crypto.java Security vulnerability Feb 21, 2023
@marcin-cebo
Copy link
Contributor

Hi,

thank you for those informations. We don't have "oracle" since this is End-to-End encryption. As it comes to MD5 this method is not used. We are going to remove it in next release though to avoid confusion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amsmokefree @marcin-cebo