Security Vulnerability in Lift's 3DES & Blowfish encryption

all of the Blowfish/3DES encryption functions use all-zero IVs in CBC mode. This is pretty much unconditionally bad; IVs need to be generated via a cryptographically secure PRNGs (i.e., SecureRandom) or else the scheme is vulnerable to adaptive chosen plaintext attacks[1].

[1] http://www.springerlink.com/content/3bg9hmrd0hndk1fy/

Leave a comment

on 2011-01-24 21:17 *

By dpp

Status changed from Accepted to Test

on 2011-01-27 03:42 *

By dpp

Status changed from Test to Fixed

Drop the files anywhere in this page to upload them as attachments.

Related Tickets

Add people from your team or external to follow ticket activity

Followers will receive email updates about new ticket activity or emails sent to liftweb+858@tickets.assembla.com