Constant salts for PBE are insecure

Issue #979 resolved
Rumen Paletov
created an issue

As part of some research about the common crypto mistakes that developers make, I noticed that your application has one of them.

In particular, there's a violation of Rule 4 in sonia.scm.cli.config.ScmClientConfigFileHandler. That is, PBEParameterSpec is being initialized with a constant salt instead of a randomly generated one.

A viable solution would be to generate the salt using SecureRandom.

Comments (2)

  1. Sebastian Sdorra repo owner

    We have now redesigned the configuration store of the scm-cli-client. The new store uses aes to encrypt the configuration and transforms the old store on first usage to the new one. The patch will be released with version 1.60 of scm-manager.

  2. Log in to comment