Inappropriate CBC IV usage in Local Token creation / parsing
shimono opened this issue · 0 comments
shimono commented
Overview
Currently we use the first 16 bytes of the reversed string of Cell URL as CBC Initial Vector.
It used to work for a path based cell url where its last part changes with cell by cell.
After introduction of subdomain based cell url, however, the last part of a cell url will not change.
So it is no longer appropriate to use the current logic to create IV for CBC.
Current spec of IV
The first 16 bytes of the reversed string of Cell URL
New Spec of IV
Hash(Cell URL) using some appropriate Hash function
Additional Change needed.
In case when the AEC-CBC decryption partially succeeds and partially fails, then we will have Exceptions such as ArrayIndexOutOfBoundsException. We should catch such exceptions and throw one of our exceptions like "Token Parse Error".