Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptographic API Misuse Vulnerability : Do not use non-random/static)predictable IVs in CBC #966

Closed
gxx777 opened this issue Jan 8, 2024 · 1 comment

Comments

@gxx777
Copy link

gxx777 commented Jan 8, 2024

Hello,
Thanks for maintaining the repository. Our team is a research organization focusing on cryptographic engineering. Recently, we discovered the potential risks by our Python Cryptographic APIs misuse detector:

Description:

It utilizes a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. Using default predictable IVs can lead to vulnerabilities like the disclosure of information about the plaintext of subsequent messages. b"0102030405060708"

Location:

https://github.com/darknessomi/musicbox/blob/master/NEMbox/encrypt.py#L50

Reference

  • CWE-329: Generation of Predictable IV with CBC Mode;
  • CWE-330: Use of Insufficiently Random Values

Expected Behavior:

The IV for CBC mode should be random and unpredictable for each encryption operation to ensure the security of the encryption scheme.

Actual Behavior:

the fork repo python-spider also miuses it.
https://github.com/Jack-Cherish/python-spider/blob/master/Netease/Netease.py#L33

Jack-Cherish/python-spider#127

A static IV is used across encryption operations, making the encrypted data less secure and potentially leading to patterns that can be exploited by attackers. Default--> b"0102030405060708"

Recommendation

Do not set default constant iv for CBC encryption. And modify the encryption process to generate a random IV each time an encryption operation is performed.

@huzpsb
Copy link

huzpsb commented Jul 30, 2024

But no changes can be made without breaking this tool...Are you really reviewing the results of your scan tool?

@gxx777 gxx777 closed this as completed Aug 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants