Some cryptographic suggestions
Opened this issue · 5 comments
- Hardcoded Key and IV
We've found that the key and IV is hardcoded in the code here, but it seems they have been abandoned according to another issue here.
But in the fileAesEncryptUtil.javathe key and IV are still used here, so I wonder if there is any problem.
private static String KEY = EncryptedString.key;
private static String IV = EncryptedString.iv;- Broken algorithm
The algorithm used in filePasswordUtil.javahere is PBEWithMD5AndDES. But this algorithm is regarded as insecure because both MD5 and DES are considered to be weak.
public static final String ALGORITHM = "PBEWithMD5AndDES";- SHA1withRSA and AES/ECB insecure
These two algorithms are used in fileSecurityTools.javahere and here.
public class SecurityTools {
public static final String ALGORITHM = "AES/ECB/PKCS5Padding";
public static SecurityResp valid(SecurityReq req) {
SecurityResp resp=new SecurityResp();
String pubKey=req.getPubKey();
String aesKey=req.getAesKey();
String data=req.getData();
String signData=req.getSignData();
RSA rsa=new RSA(null, Base64Decoder.decode(pubKey));
Sign sign= new Sign(SignAlgorithm.SHA1withRSA,null,pubKey);The code uses SHA1withRSA for the signature verification, which is an outdated algorithm with known weaknesses and no longer recommended for use.
AES encryption in ECB mode is not recommended for use in cryptographic protocols because it does not provide serious message confidentiality.
zj
What you said is very instructive, but unfortunately, the Jeecg open source team is not good at security engineering, so we can only provide basic security protection. Also, because Jeecg is an open source project, and when it comes to using security algorithms, we have achieved a small amount of changes to complete security algorithm changes, so we more advocate that you can modify the algorithm and choose a security algorithm that fits your field.