Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptographic Standard Algorithms Security vulnerability spotted in FileEncryptionUtilKT.kt #299

Open
amsmokefree opened this issue Feb 1, 2024 · 0 comments

Comments

@amsmokefree
Copy link

amsmokefree commented Feb 1, 2024

Spotted this during a routine penetration testing exercise

https://github.com/pubnub/java/blob/master/src/main/kotlin/com/pubnub/api/crypto/util/FileEncryptionUtilKT.kt

Mobile apps should not use cryptographic algorithms and protocols that have significant known weaknesses or are otherwise insufficient for modern security requirements. Algorithms that were considered secure in the past may become insecure over time; therefore, it's important to periodically check current best practices and adjust configurations accordingly.

These tests include verification that cryptographic algorithms are up to date and in-line with industry standards. Vulnerable algorithms include outdated block ciphers (such as DES and 3DES), stream ciphers (such as RC4), hash functions (such as MD5 and SHA1), and broken random number generators (such as Dual_EC_DRBG and SHA1PRNG).

Note that even algorithms that are certified (for example, by NIST) can become insecure over time.

Algorithms with known weaknesses should be replaced with more secure alternatives.

Outlined instances of cryptographic algorithms that are known to be weak, such as:

• DES, 3DES
• RC2
• RC4
• BLOWFISH • MD4
• MD5
• SHA1

Upon inspection we identified the following usage of outdated cryptographic algorithms in the following code parts:

 @Throws(NoSuchAlgorithmException::class)
    private fun randomIv(): ByteArray {
        val randomIv = ByteArray(IV_SIZE_BYTES)
        SecureRandom.getInstance("SHA1PRNG").nextBytes(randomIv)
        return randomIv
    }

Using only algorithms suggested by BSI; see the following resource for details: https://www.keylength.com/en/8/

@amsmokefree amsmokefree changed the title Security vulnerability Cryptographic Standard Algorithms Security vulnerability spotted in FileEncryptionUtilKT.kt Feb 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant