Security Vulnerability in Lift's 3DES & Blowfish encryption
all of the Blowfish/3DES encryption functions use all-zero IVs in CBC mode. This is pretty much unconditionally bad; IVs need to be generated via a cryptographically secure PRNGs (i.e., SecureRandom) or else the scheme is vulnerable to adaptive chosen plaintext attacks[1].
[1] http://www.springerlink.com/content/3bg9hmrd0hndk1fy/
[1] http://www.springerlink.com/content/3bg9hmrd0hndk1fy/
Leave a comment