You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Even with an encrypt-then-MAC approach, using ECB cipher mode is still a really bad idea as it is a very weak cipher mode that reveals patterns in the resulting ciphertext. However, for completeness and support for legacy encrypted data, we need to support it. And while it is not supported as an out-of-the-box standard ESAPI configuration, it still could be done with custom tweaks to ESAPI.properties file.
However, just as we when a log an error when there is an attempt to encrypt something with a key size smaller than the Encryptor.MinEncryptionKeyLength property, there should be a similar error logged when ECB mode (and maybe other cipher modes that are considered weak [which might require a new property to specify them] is used to encryption.
Also, presently, there is nothing logged (except at DEBUG level) if one were to try to decrypt ciphertext using ECB, but perhaps a warning should be logged for that case as well as the use of short keys for decryption purposes.
Even with an encrypt-then-MAC approach, using ECB cipher mode is still a really bad idea as it is a very weak cipher mode that reveals patterns in the resulting ciphertext. However, for completeness and support for legacy encrypted data, we need to support it. And while it is not supported as an out-of-the-box standard ESAPI configuration, it still could be done with custom tweaks to ESAPI.properties file.
However, just as we when a log an error when there is an attempt to encrypt something with a key size smaller than the
Encryptor.MinEncryptionKeyLength
property, there should be a similar error logged when ECB mode (and maybe other cipher modes that are considered weak [which might require a new property to specify them] is used to encryption.Also, presently, there is nothing logged (except at DEBUG level) if one were to try to decrypt ciphertext using ECB, but perhaps a warning should be logged for that case as well as the use of short keys for decryption purposes.
Related to GitHub issue #651.
The text was updated successfully, but these errors were encountered: