Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wallet-app uses ECB encryption scheme. #197

Open
Hendrik-Schmidt-Schierhorn-TSI opened this issue May 20, 2022 · 0 comments
Open

Wallet-app uses ECB encryption scheme. #197

Hendrik-Schmidt-Schierhorn-TSI opened this issue May 20, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@Hendrik-Schmidt-Schierhorn-TSI

Description

The wallet-app encrypts internal data, the qr code and tan using the keystore. The chosen encryption scheme in class SecurityKeyWrapper and DefaultKeyStoreCryptor is ECB.
ECB produces identical encrypted data and is thus not recommended for multi block data.
There is also no documentation of the security model this security features is modeled for so its not possible to say if the feature is now faulty. While potentially not a meaningful issues for the presented data its not best practices and might be an issues later if template extend the use case.

Possible Fix

Use a more secure encryption scheme in the wallet app.

Impact

Wallet-app data storage encryption scheme slightly leaks protected data.

@Hendrik-Schmidt-Schierhorn-TSI Hendrik-Schmidt-Schierhorn-TSI added the bug Something isn't working label May 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant